Bug 7915 - Samba domain and smbpasswd files stored in /etc
Samba domain and smbpasswd files stored in /etc
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: samba (Show other bugs)
6.1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Trond Eivind Glomsrxd
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-12-20 17:15 EST by Gregory Leblanc
Modified: 2008-05-01 11:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 1999-12-20 17:15:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Gregory Leblanc 1999-12-20 17:15:24 EST
I examined a friend's system today, to help him configure it.  He just
"installed" from scratch the samba package, it appears that you have
provided a default smb.conf file for redhat 6.1 that puts samba private
configuration files in /etc.  The suggested options, for example show
"smbpasswd file = /etc/smbpasswd".

This is REALLY bad.

1) You CANNOT put smbpasswd in /etc.

2) You CANNOT put private files DOMAIN.TRUST_ACCOUNT.mac in /etc.

I know that these require root access, however if your users start to
assume that just because these files are in /etc, they are equivalent to
/etc/passwd, they may decide to make these world-readable, and as a result
they will compromise the security of the box, and potentially the security
of remote nt-compatible boxes too (including other samba servers) because
these files contain CLEAR_TEXT EQUIVALENT PASSWORDS.

For example, private .mac files can contain information sufficient to
compromise a remote server by obtaining all remote clear-text equivalent
passwords: the .mac file is used to store the "Backup Domain Controller"
trust account password.

I know that there are people out there who are using samba configured in
the way your installation suggests, because I have received debug log
files from people on the samba lists showing that trust accounts are being
read from /etc/DOMAIN.SERVER_NAME.mac.

Thank you.

luke (samba team, iss x-force research).
Comment 1 Bill Nottingham 2000-07-15 14:30:38 EDT
As of samba-2.0.7-16, all the samba files will be stored in /etc/samba.

Note You need to log in before you can comment on or make changes to this bug.