Red Hat Bugzilla – Bug 12439
Default "nobody" guest account a bad idea
Last modified: 2008-05-01 11:37:56 EDT
Could samba have a guest account other than "nobody"? I'd rather Windows
weenies couldn't subvert my httpd.
Hm, I'd say apache shouldn't be running as nobody; as 'guest user with
no access' for samba, I'd think nobody is actually the correct choice.
I agree. In fact, I said so in bug #12440 :)
However, as I see it, "big" packages (ie. ones bigger than fingerd and the
various talkd's) can probably "afford" their own userids. Especially if they're
long-lived, rather than inetd processes. (Hence my request in bug #12441 to
give identd its own uid now it's a "static" daemon.)
The only slight issue I see is that the default config has guest access off,
which would make a pcguest (or my favoured option - "smbguest") account more of
a liability than a useful enhancement.
apache is currently running as apache, not nobody. Also, no guest accounts are
enabled, and the guest user is configurable in the smb.conf file.
That makes this a really cheap default option, then. Could you change the:
;guest user = nobody
;Note: this account does not exist by default. To add it, please run:
;# useradd -r -s /bin/false -d /home/samba -c "SMB guest account" smbguest
;guest user = smbguest
Cheap, easy, makes me happy. Can't be all bad :-)