Bug 12439 - Default "nobody" guest account a bad idea
Default "nobody" guest account a bad idea
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: samba (Show other bugs)
7.1
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Trond Eivind Glomsrxd
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-06-18 15:19 EDT by Matthew Kirkwood
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-06-18 15:55:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matthew Kirkwood 2000-06-18 15:19:16 EDT
Could samba have a guest account other than "nobody"?  I'd rather Windows
weenies couldn't subvert my httpd.
Comment 1 Bill Nottingham 2000-06-18 15:31:47 EDT
Hm, I'd say apache shouldn't be running as nobody; as 'guest user with
no access' for samba, I'd think nobody is actually the correct choice.
Comment 2 Matthew Kirkwood 2000-06-18 15:55:15 EDT
I agree.  In fact, I said so in bug #12440 :)

However, as I see it, "big" packages (ie. ones bigger than fingerd and the
various talkd's) can probably "afford" their own userids.  Especially if they're
long-lived, rather than inetd processes.  (Hence my request in bug #12441 to
give identd its own uid now it's a "static" daemon.)

The only slight issue I see is that the default config has guest access off,
which would make a pcguest (or my favoured option - "smbguest") account more of
a liability than a useful enhancement.
Comment 3 Trond Eivind Glomsrxd 2001-04-18 17:37:21 EDT
apache is currently running as apache, not nobody. Also, no guest accounts are
enabled, and the guest user is configurable in the smb.conf file.
Comment 4 Matthew Kirkwood 2001-04-19 07:03:34 EDT
That makes this a really cheap default option, then.  Could you change the:

;guest user = nobody

to:

;Note: this account does not exist by default.  To add it, please run:
;# useradd -r -s /bin/false -d /home/samba -c "SMB guest account" smbguest
;guest user = smbguest

Cheap, easy, makes me happy.  Can't be all bad :-)

Note You need to log in before you can comment on or make changes to this bug.