Your message dated Mon, 9 Jan 2006 22:53:31 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#347304: samba: Should not add admin users to smbpasswd
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 9 Jan 2006 23:14:26 +0000
>From [EMAIL PROTECTED] Mon Jan 09 15:14:26 2006
Return-path: <[EMAIL PROTECTED]>
Received: from 148.red-213-96-98.staticip.rima-tde.net
([213.96.98.148] helo=javifsp.no-ip.org ident=Debian-exim)
by spohr.debian.org with esmtp (Exim 4.50)
id 1Ew6DZ-00064O-Pn
for [EMAIL PROTECTED]; Mon, 09 Jan 2006 15:14:26 -0800
Received: from jfs by javifsp.no-ip.org with local (Exim 4.60)
(envelope-from <[EMAIL PROTECTED]>)
id 1Ew6DZ-0007VO-7S
for [EMAIL PROTECTED]; Tue, 10 Jan 2006 00:14:25 +0100
Date: Tue, 10 Jan 2006 00:14:25 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: samba: Should not add admin users to smbpasswd
Message-ID: <[EMAIL PROTECTED]>
Mail-Followup-To: [EMAIL PROTECTED]
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="mP3DRpeJDSE+ciuQ"
Content-Disposition: inline
User-Agent: Mutt/1.5.11
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
--mP3DRpeJDSE+ciuQ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: samba
Version: 3.0.21a-1
Priority: wishlist
Currently samba's postinst does this if the user says 'yes' to generate
automatically the smbpasswd file:
getent passwd | /usr/sbin/mksmbpasswd > /etc/samba/smbpasswd
pdbedit -i smbpasswd -e tdbsam
rm /etc/samba/smbpasswd
This means that *all* users, including regular users and system users
are added in the smbpasswd file. The default smb.conf file has this:
invalid users =3D root
Which means that 'root' cannot log on to the system through SMB but since
the PAM configuration for samba is the default:
@include common-auth
@include common-account
@include common-session
All other system users will be allowed in, if they have a valid password
when the smbpasswd is generated. I don't really see what's the need
to have admin users like gdm, sshd, bin, daemon, sys, or identd (some
of those are created by packages and are not default system users) allowed
access through SMB. Granted, they don't have a valid password in most
systems but it might be better off, just in case, to improve the postinst
so that only local users (i.e. uid over FIRST_UID as defined in adduser.con=
f)
are added to the smbpasswd file.=20
That could be a debconf question if the user asked to automatically generate
the smbpasswd file. Something like : "Do you want to add the admin users to
smbpasswd?" (low priority defaulting to 'no')=20
If this looks like a valid change I can go ahead and propose a patch.=20
Regards
Javier
--mP3DRpeJDSE+ciuQ
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDwu5RsandgtyBSwkRAmuiAJwOcKnZm2pyIxtuQabC8UUNL0yATwCfYb4Z
hQdYzeCbz81F7SCuZA75Aao=
=Ej3o
-----END PGP SIGNATURE-----
--mP3DRpeJDSE+ciuQ--
---------------------------------------
Received: (at 347304-done) by bugs.debian.org; 10 Jan 2006 06:53:33 +0000
>From [EMAIL PROTECTED] Mon Jan 09 22:53:33 2006
Return-path: <[EMAIL PROTECTED]>
Received: from dsl093-039-086.pdx1.dsl.speakeasy.net ([66.93.39.86]
helo=tennyson.dodds.net)
by spohr.debian.org with esmtp (Exim 4.50)
id 1EwDNs-0004D0-Sw
for [EMAIL PROTECTED]; Mon, 09 Jan 2006 22:53:33 -0800
Received: by tennyson.dodds.net (Postfix, from userid 1000)
id 816CE7002; Mon, 9 Jan 2006 22:53:31 -0800 (PST)
Date: Mon, 9 Jan 2006 22:53:31 -0800
From: Steve Langasek <[EMAIL PROTECTED]>
To: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <[EMAIL PROTECTED]>,
[EMAIL PROTECTED]
Subject: Re: Bug#347304: samba: Should not add admin users to smbpasswd
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="RIYY1s2vRbPFwWeW"
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.5.9i
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
--RIYY1s2vRbPFwWeW
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Jan 10, 2006 at 12:14:25AM +0100, Javier Fern=E1ndez-Sanguino Pe=F1=
a wrote:
> Currently samba's postinst does this if the user says 'yes' to generate
> automatically the smbpasswd file:
> getent passwd | /usr/sbin/mksmbpasswd > /etc/samba/smbpasswd
> pdbedit -i smbpasswd -e tdbsam
> rm /etc/samba/smbpasswd
> This means that *all* users, including regular users and system users
> are added in the smbpasswd file. The default smb.conf file has this:
> invalid users =3D root
> Which means that 'root' cannot log on to the system through SMB but since
> the PAM configuration for samba is the default:
> @include common-auth
> @include common-account
> @include common-session
> All other system users will be allowed in, if they have a valid password
> when the smbpasswd is generated.
No, it means nothing of the sort. If you are using encrypted passwords in
samba (and the smbpasswd database has no effect at all if you aren't), you
*must* populate the password field for each user individually before that
user can access samba. And I'm pretty sure we still have debconf notes
explaining this to users, don't we?
> I don't really see what's the need to have admin users like gdm, sshd,
> bin, daemon, sys, or identd (some of those are created by packages and are
> not default system users) allowed access through SMB.
I don't see a need for this either; however, it's a heck of a lot easier to
do it this way than to guess which users may or may not belong in smbpasswd,
and I don't see a need *not* to do it this way.
In short, anyone who has access to call smbpasswd to set a samba password
for a system user also has access to call smbpasswd -a to add a samba
password entry for this same user...
So I'm going to go ahead and close this bug, I think; if you can make a case
why this actually makes a difference security-wise, please reopen, but
otherwise I don't think we should add more debconf questions here.
--=20
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
[EMAIL PROTECTED] http://www.debian.org/
--RIYY1s2vRbPFwWeW
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDw1nrKN6ufymYLloRAlYeAJ48LFheKXCA2exnfSNcIBH+XBz2zwCdG4R2
1wzSxkamEEKFbaIWs7sRRFU=
=szUI
-----END PGP SIGNATURE-----
--RIYY1s2vRbPFwWeW--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
