Alan.M.Wright wrote: > I wouldn't expect you to deal with PSARC for SMB cases (we'll > take care of that) but that may not be the main hurdle. If the case > presents sufficient guarantees of "secure by default", it should be > okay.
And I certainly wouldn't suggest you enable guest access by default. > The main problem I foresee is handling the exclusion of null sessions > from the Everyone group or the POSIX 'other' class in Solaris. Null > sessions were re-enabled in Windows XP/2003 along with a change > to the Everyone group - to include only Authenticated Users by > default. AnonymousLogon is only granted access to files by changing > the EveryoneIncludesAnonymous registry value or explicitly adding > ACEs to allow AnonymousLogon in ACLs. > > The Solaris CIFS service doesn't do file level access checks; access > checking is performed by the underlying file system. So we'd need > to ensure that AnonymousLogon didn't get 'other' permissions by > default. We need some time to think about how we'd solve this problem. It would be nice if you could control things at that level; I don't know whether Solaris ACLs support that. But I think it wouldn't be too surprising to people that files readable by "other" can be read by anyone who can access the exported filesystem. _______________________________________________ cifs-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
