Bug 12439 - Default "nobody" guest account a bad idea
Summary: Default "nobody" guest account a bad idea
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: samba
Version: 7.1
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Trond Eivind Glomsrxd
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-06-18 19:19 UTC by Matthew Kirkwood
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2000-06-18 19:55:17 UTC
Embargoed:


Attachments (Terms of Use)

Description Matthew Kirkwood 2000-06-18 19:19:16 UTC
Could samba have a guest account other than "nobody"?  I'd rather Windows
weenies couldn't subvert my httpd.

Comment 1 Bill Nottingham 2000-06-18 19:31:47 UTC
Hm, I'd say apache shouldn't be running as nobody; as 'guest user with
no access' for samba, I'd think nobody is actually the correct choice.

Comment 2 Matthew Kirkwood 2000-06-18 19:55:15 UTC
I agree.  In fact, I said so in bug #12440 :)

However, as I see it, "big" packages (ie. ones bigger than fingerd and the
various talkd's) can probably "afford" their own userids.  Especially if they're
long-lived, rather than inetd processes.  (Hence my request in bug #12441 to
give identd its own uid now it's a "static" daemon.)

The only slight issue I see is that the default config has guest access off,
which would make a pcguest (or my favoured option - "smbguest") account more of
a liability than a useful enhancement.

Comment 3 Trond Eivind Glomsrxd 2001-04-18 21:37:21 UTC
apache is currently running as apache, not nobody. Also, no guest accounts are
enabled, and the guest user is configurable in the smb.conf file.

Comment 4 Matthew Kirkwood 2001-04-19 11:03:34 UTC
That makes this a really cheap default option, then.  Could you change the:

;guest user = nobody

to:

;Note: this account does not exist by default.  To add it, please run:
;# useradd -r -s /bin/false -d /home/samba -c "SMB guest account" smbguest
;guest user = smbguest

Cheap, easy, makes me happy.  Can't be all bad :-)


Note You need to log in before you can comment on or make changes to this bug.