On Sun, Feb 03, 2008 at 11:59:19PM -0000, Ralf Nieuwenhuijsen wrote: > For years now, there is broken GUI functionality in the desktop. No > user understands why it is broken. To those users: Rather than assuming we're idiots (we're not), or that we don't care (we do), I suggest you ask. > If you would ask the user 'what do you expect?' .. they would say: 'i > chose to share folder X, but it does not work' Right. Most care about functionality. Not technology. > What did they _expect_? They expected it to work _without_ requiring > a password. That might be what *you* expect. I doubt you've asked all of our millions of users whether they think you should be asked for a password when connecting to a share. I certainly haven't. Hence, I try to avoid making such specific assumptions about their wishes. I recommend a similar approach. > During all those years people have complained about this. We are told > it is insecure. None of _us_ understand _why_. > > You, being the expert, obviously does understand it. But could please > communicate why the behavior a desktop-user expects is bad? It's not like it's a secret or anything. It's been discussed in many places many times before. The short version: If you're using security=user and connect to Samba, you'll be asked for a username and password. If succesfully authenticated, the Samba process on the server will switch to running as your user on the system. This ensures that the file system restrictions the Unix model imposes is properly respected. This is a very good thing. If you're using security=share, the client doesn't (or at least: is not required to) send a username when it connects, so to switch to a different user (to avoid running as root), Samba has to guess which user you are. Unless you've taken explicity measures to avoid it (and based on the type of users we're talking about, I'm guessing most will not have done so), the password sent to the server will checked against each and every user in turn until one of the is succesfully authenticated. That's really the crux of the problem. This means that a malicious user doesn't even have to bother guessing user names if we wants to crack your Samba server. He can just try a short list of common passwords, and Samba will check each password against each and every user on the system until it succesfully authenticates. Again, considering the type of users we have to take into consideration here, I'm not going to make very strong assumptions of the quality of their passwords... Even if you disregard malicious users, you also have a problem if multiple people on the system have the same password (after all, they are likely to have the same family name, street name, etc.). You might all be acting in good faith, but because of Samba's behaviour in this area, you could end up accessing someone else's files when you were trying to access your own. In summary, the only situation where there is *no* risk involved in this, is if you're on a separate network (not connected to the internet at all), and there's only a single user on the network to worry about. I have no statistics to back this up, but I'm quite confident this is not a very common scenario for our users. > We can all imagine this behavior would be the wrong default for a > server. But I didn't install server. I installed a desktop. Your machine being used as a desktop is no excuse for making it insecure by default. > I didn't share all my files, the GUI already had me pick which > folder(s) to share. I choose things like my music and my photo's. And wouldn't it be lovely if the MPAA browsed through your music and your private photos landed on the internet somewhere? -- Soren Hansen Virtualisation specialist Ubuntu Server Team http://www.ubuntu.com/