Red Hat Bugzilla – Bug 16931
samba: proposed changes to smb.conf ([homes], map to guest)
Last modified: 2008-05-01 11:37:58 EDT
I have rc1, don't know if maybe these changes are already in rc2.
Proposed changes to the smb.conf that get installed when you install samba.
1) Don't allow access to more things than expected:
Add to the [homes] section the following directive
valid users = %S
so that users won't be able to list homedirs other than their own and
WRITE to public places the samba admin didn't think of...
A user, once logged into the linux server (telnet, ssh, ..), can certainly
But there's no reason to allow a windows user do the same through network
This is a known side effect of [homes]:
From windows try (without "valid users = %S"):
start, run, \\samba-server\nobody \\samba-server\mail....
and you can traverse all the file system and write in places like /tmp.
Right now, if a samba admin sets up samba to only do [homes], a windows
user that has access to his home share can even write to /tmp for
instance, and this may be not evident to the admin.
2) Just to get consistent behavior:
Add to the [homes] section the following directives
create mode = 0664
directory mode = 0775
so that files/dirs created through win get the same permissions of
files/dirs created loggin into the linux server itself:
664/775 instead of 744/755
3) Maybe to get less tech support questions:
Add the following directive, explains it and _leave_ it commented
# map to guest = bad user
near the "security = user" line.
Say a samba admin sets up a share that is to be public, that is everyone
should be able to access it, maybe just read-only. Right now if a windows
users logins to MS Networks using an username that is not known to samba,
he is denied access to that share even if the share is public.
The above directive allows the unknown username to be mapped to the guest
user and allow the window user access to the public share.
This issue comes up frequently in newsgroups and lists "I've granted
access to all and the user is denied access!". It's often linked to
switching from "security = share" to "security = user" (samba 1.9.x -> 2.0
Basically , for this specific case (access to public shares from unknown
users) we can say that:
"security = share" = "security = user" + "map to guest = bad user".
You need to leave this commented, but well explained, since this may be
considered less secure then the default "map to guest = never", and I
don't know the NT behavior in such a case.
These changes will be part of 2.2.0-5
Which was put in rawhide a long time ago.. it's also present in the current,