These classnotes are depreciated. As of 2005, I no longer teach the classes. Notes will remain online for legacy purposes

UNIX03/Securing Smb.Conf

Classnotes | UNIX03 | RecentChanges | Preferences
For a review of the smb.conf configuration file, please see UNIX02/SAMBA Configuration from UNIX02.

There are several things you need to be aware of in the smb.conf file that are critical to system security:

  • The smb.conf file needs to be in a secure place where no user other than root can modify it. smb.conf can accept parameters such as config file and include and malicious users could easily cause Samba to read external files to add configuration directives to.
  • You need to watch the contents of the file. One way is to run a program like TripWire (which we will configure in a future class), but the old fashioned method is to periodically peruse the file and watch for abberations. This is one of the reasons that directives such as include can be so devious, because they can often be overlooked (the real brunt of the security concerns will be located in a completely differnet file).

You should also be aware of the following dangerous parameters (which are all explained quite nicely in the smb.conf man page: http://us2.samba.org/samba/docs/man/smb.conf.5.html) 

 abort shutdown script
 add printer command
 add share command
 add user script
 add machine script
 delete printer command
 delete share command
 delete user script

These first ones may allow an external Windows user to modify shares, printers, and even users on the underlying UNIX system. The add machine script file is especially dangerous as it allows your SMB network to effectively be open to any and all new connections. Imagine if you are protected by a firewall but all an internal wireless network behind the firewall. Someone war-driving could easily discover your network and add their machine to your SMB network if this directive was not in check. 

 dfree command
 message command
 lppause command
 lpq command
 lpresume command
 lprm command


 passwd chat
 passwd program
 print command
 queueqause command
 queueresume command
 exec,preexec,root preexec, postexec, root postexec
 magic script (very dangerous)
 shutdown script
 wins hook

All of the above parameter names refer to external programs or scripts called by the Samba server on behalf of the user. Most are executed as the root user and if you as the system administrator are not careful, they could conatain something malicious. Imagine the damage a Trojaned password program could cause.

Other directives that may cause problems that you will not even need in most installations are 

 follow symlinks
 wide links

These directives can limit Samba to look only at the local file system and not to follow symbolic links. Normally, you would not use these because they extract a performance hit, but they will prevent symlink attacks that could be done by a user linking /etc/passwd into their home directorues and then copying it off of the machine.

If you allow users to have shell access to the machine along with Samba access, you may wish to set these directives to false: 

 admin users
 hosts equiv
 smbpasswd
 use rhosts
 username map

These directives can be used to play tricks with user permissions. The admin users directive allows a user or group to assume root priviledges in the context of a share. Hosts equiv and use rhosts allows a computer to bypass password checking. smbpasswd and username map, if not watched, could point to a manufactured file, where all of the passwords were blank or where the user account associations were disturbed.


Classnotes | UNIX03 | RecentChanges | Preferences
This page is read-only | View other revisions
Last edited June 7, 2003 3:44 am (diff)
Search:
(C) Copyright 2003 Samuel Hart
Creative Commons License
This work is licensed under a Creative Commons License.