> from the logs:
> [2004/11/14 13:55:59, 1] smbd/service.c:make_connection_snum(648)
> 127.0.0.1 (127.0.0.1) connect to service man initially as user zeisberg=
(uid=3D1000, gid=3D100) (pid 3373)
> This attracted my attention while a WinXP-Box showed apart from my
> homedir the directory 'man at cepheus'.
> This is not too dangerous in my case, because is seems/is read-only,
> there is no precious data in this location and there is no internet
> connection. But maybe there are other cases and machines, where there
> could be done (more) harm.
This is not a bug. If you don't want user homedirs to be exported, disable
(or change the permissions on) the [homes] share in your smb.conf. There is
no way for samba to guess which users' homes you do or don't want to export.
It remains a reasonable default for Debian to enable the [homes] share by
default, because it approximates the needs of most users for user home
directory exports and there is zero privilege escalation compared with
normal shell access. If the [homes] share is giving authenticated users
access to files that you don't want them to have access to, this is almost
certainly a file permission problem, not a Samba permission problem.
--=20
Steve Langasek
postmodern programmer
--bKyqfOwhbdpXa4YI
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
Message-ID: <email address hidden>
Date: Mon, 15 Nov 2004 02:58:47 -0800
From: Steve Langasek <email address hidden>
To: Uwe Zeisberger <email address hidden>,
<email address hidden>
Subject: Re: Bug#281345: can mount a non-shared directory
--bKyqfOwhbdpXa4YI Disposition: inline Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Content-
Content-
On Mon, Nov 15, 2004 at 11:16:06AM +0100, Uwe Zeisberger wrote:
> I don't have investigated much (yet), but see the following alarming
> transscript:
> root@cepheus:~# smbclient -L 127.0.0.1 -U zeisberg
> Password:
> Domain=3D[CEPHEUS] OS=3D[Unix] Server=3D[Samba 3.0.7-Debian]
> Sharename Type Comment
> --------- ---- -------
> IPC$ IPC IPC Service (cepheus)
> ADMIN$ IPC IPC Service (cepheus)
> zeisberg Disk Home Directories
> Domain=3D[CEPHEUS] OS=3D[Unix] Server=3D[Samba 3.0.7-Debian]
>=20
> Server Comment
> --------- -------
>=20
> Workgroup Master
> --------- -------
> MALIBU CEPHEUS
> root@cepheus:~# mountpoint /mnt
> /mnt is not a mountpoint
> root@cepheus:~# mount -t cifs //127.0.0.1/man /mnt -o user=3Dzeisberg
> Password:
> root@cepheus:~# mountpoint /mnt
> /mnt is a mountpoint
> root@cepheus:~# mount | grep cifs
> //127.0.0.1/man on /mnt type cifs (rw,mand)
> root@cepheus:~# ls /mnt
> X11R6 cat2 cat4 cat6 cat8 fsstnd local
> cat1 cat3 cat5 cat7 cat9 index.db opt
> root@cepheus:~# touch /var/cache/ man/isitthisdir
> root@cepheus:~# ls /mnt
> X11R6 cat2 cat4 cat6 cat8 fsstnd isitthisdir opt
> cat1 cat3 cat5 cat7 cat9 index.db local
> root@cepheus:~# rm /mnt/isitthisdir
> rm: cannot remove `/mnt/isitthisdir': Permission denied
> root@cepheus:~# egrep -v '^ *([#;].*)?$' /etc/samba/smb.conf samba/log. %m samba/panic- action %d snew\sUNIX\ spassword: * %n\n *Retype\ snew\sUNIX\ =
> [global]
> workgroup =3D malibu
> server string =3D %h
> wins support =3D no
> dns proxy =3D no
> log file =3D /var/log/
> max log size =3D 1000
> syslog =3D 0
> panic action =3D /usr/share/
> security =3D user
> encrypt passwords =3D true
> passdb backend =3D tdbsam guest
> obey pam restrictions =3D yes
> invalid users =3D root
> passwd program =3D /usr/bin/passwd %u
> passwd chat =3D *Enter\
spassword:* %n\n .
> [homes]
> comment =3D Home Directories
> browseable =3D no
> writable =3D yes
> create mask =3D 0700
> directory mask =3D 0700
> from the logs: c:make_ connection_ snum(648)
> [2004/11/14 13:55:59, 1] smbd/service.
> 127.0.0.1 (127.0.0.1) connect to service man initially as user zeisberg=
(uid=3D1000, gid=3D100) (pid 3373)
> This attracted my attention while a WinXP-Box showed apart from my
> homedir the directory 'man at cepheus'.
> This is not too dangerous in my case, because is seems/is read-only,
> there is no precious data in this location and there is no internet
> connection. But maybe there are other cases and machines, where there
> could be done (more) harm.
This is not a bug. If you don't want user homedirs to be exported, disable
(or change the permissions on) the [homes] share in your smb.conf. There is
no way for samba to guess which users' homes you do or don't want to export.
It remains a reasonable default for Debian to enable the [homes] share by
default, because it approximates the needs of most users for user home
directory exports and there is zero privilege escalation compared with
normal shell access. If the [homes] share is giving authenticated users
access to files that you don't want them to have access to, this is almost
certainly a file permission problem, not a Samba permission problem.
--=20
Steve Langasek
postmodern programmer
--bKyqfOwhbdpXa4YI pgp-signature; name="signature .asc" Description: Digital signature Disposition: inline
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
ufymYLloRAhkJAK CVk0mq9XzSsNlu3 G5ZAKaiZlpxrwCg p9we aKmwsOe0=
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBmIvlKN6
/qkvU+halexlmST
=l7g8
-----END PGP SIGNATURE-----
--bKyqfOwhbdpXa 4YI--