Could samba have a guest account other than "nobody"? I'd rather Windows weenies couldn't subvert my httpd.
Hm, I'd say apache shouldn't be running as nobody; as 'guest user with no access' for samba, I'd think nobody is actually the correct choice.
I agree. In fact, I said so in bug #12440 :) However, as I see it, "big" packages (ie. ones bigger than fingerd and the various talkd's) can probably "afford" their own userids. Especially if they're long-lived, rather than inetd processes. (Hence my request in bug #12441 to give identd its own uid now it's a "static" daemon.) The only slight issue I see is that the default config has guest access off, which would make a pcguest (or my favoured option - "smbguest") account more of a liability than a useful enhancement.
apache is currently running as apache, not nobody. Also, no guest accounts are enabled, and the guest user is configurable in the smb.conf file.
That makes this a really cheap default option, then. Could you change the: ;guest user = nobody to: ;Note: this account does not exist by default. To add it, please run: ;# useradd -r -s /bin/false -d /home/samba -c "SMB guest account" smbguest ;guest user = smbguest Cheap, easy, makes me happy. Can't be all bad :-)