On Mon, 2002-03-11 at 20:02, David Walluck wrote: > Are we sure we want the printer to default to being accessible by the > guest account? Samba also doesn't appear to use tcpwrappers, and since > no hosts are blocked by default in the config file, this leaves the > printer open to everyone on the net by default. That can't be good. > > --
Speaking on the behalf of good security practices: 1. tcp_wrappers should never be seen as a filtering solution, it should be seen as a compliment to existing ip filtering features, which lies in the kernel (netfilter). 2. It is always bad practice to leave services such as NFS, samba, and so forth listening on external interfaces. Binding these types of services to an internal interface not only makes these services more manageable, but it can/does dramatically lower the risk factor in regards to these otherwise not so safe(tm) services. 3. While I'm usually in agreement about guest accounts and so forth, this one I will have to say I am not. For three reasons: 1a. Not much can be done if a printer is accessible by "everyone", unless we're talking about corporate printers, but even then, only trivial attacks may be performed (e.g, DoS attacks). 2a. Samba from a windows user's perspective is non-existent, they just want print and are used to being able to do so (in most setups I've experienced) without a second auth scheme (login/pass for access to the printer). However, _I_ do feel it is best to have a second auth scheme for such things, but this doesn't change the fact that you'll find a lot of unhappy people complaining about the new SMB server. 3a. The process of disabling access to the printer via the guest account is beyond mundane. Of course, since mdk in the moment is aimed at end-users, it might not be such a mundane task... This is where our UI config tools come into play : ) Which plenty exist, making it, even for the most naive Linux user to disable such a feature. I have a whole _LOT_ of ideas that I will be pitching here and there to make things like this smoother (e.g, if samba-server is installed, at post-install, ask the user if he would like to disable the guest account for X or all shares, if answers equals yes; regexp and comment the lines out... This, I'm pretty sure would be fairly easy to implement into DrakX). But, that's two cents : ) -- Bryan Paxton Public PGP key: http://www.deadhorse.net/bpaxton.gpg "Now, smell the rain of london, it still insists... That we bed for our purity. As if we are pure in the rain of our contentment! As if I can think of this no more!" -- Jeff Buckley
