How's this: "share" account "shared" group "Shared" folder in each homedir "share" account is not allowed to log into a normal session. Daemon monitors the "Shared" folders, and changes the group of the file to "shared" if something gets dropped in the Shared folder. User is prompted to give the "Shared" account a password as soon as: 1) Sharing is enabled, if this must be done manually 2) The first file is dropped into the "Shared" folder If the user opts not to give the "Shared" account a password, a warning is given, and it then allows the user to do this. ..good? On Mon, 2008-02-04 at 08:10 +0000, Soren Hansen wrote: > On Sun, Feb 03, 2008 at 11:59:19PM -0000, Ralf Nieuwenhuijsen wrote: > > For years now, there is broken GUI functionality in the desktop. No > > user understands why it is broken. > > To those users: Rather than assuming we're idiots (we're not), or that > we don't care (we do), I suggest you ask. > > > If you would ask the user 'what do you expect?' .. they would say: 'i > > chose to share folder X, but it does not work' > > Right. Most care about functionality. Not technology. > > > What did they _expect_? They expected it to work _without_ requiring > > a password. > > That might be what *you* expect. I doubt you've asked all of our > millions of users whether they think you should be asked for a password > when connecting to a share. I certainly haven't. Hence, I try to avoid > making such specific assumptions about their wishes. I recommend a > similar approach. > > > During all those years people have complained about this. We are told > > it is insecure. None of _us_ understand _why_. > > > > You, being the expert, obviously does understand it. But could please > > communicate why the behavior a desktop-user expects is bad? > > It's not like it's a secret or anything. It's been discussed in many > places many times before. The short version: > > If you're using security=user and connect to Samba, you'll be asked for > a username and password. If succesfully authenticated, the Samba process > on the server will switch to running as your user on the system. This > ensures that the file system restrictions the Unix model imposes is > properly respected. This is a very good thing. > > If you're using security=share, the client doesn't (or at least: is not > required to) send a username when it connects, so to switch to a > different user (to avoid running as root), Samba has to guess which user > you are. Unless you've taken explicity measures to avoid it (and based > on the type of users we're talking about, I'm guessing most will not > have done so), the password sent to the server will checked against each > and every user in turn until one of the is succesfully authenticated. > That's really the crux of the problem. This means that a malicious user > doesn't even have to bother guessing user names if we wants to crack > your Samba server. He can just try a short list of common passwords, and > Samba will check each password against each and every user on the system > until it succesfully authenticates. Again, considering the type of users > we have to take into consideration here, I'm not going to make very > strong assumptions of the quality of their passwords... > > Even if you disregard malicious users, you also have a problem if > multiple people on the system have the same password (after all, they > are likely to have the same family name, street name, etc.). You might > all be acting in good faith, but because of Samba's behaviour in this > area, you could end up accessing someone else's files when you were > trying to access your own. > > In summary, the only situation where there is *no* risk involved in > this, is if you're on a separate network (not connected to the internet > at all), and there's only a single user on the network to worry about. > > I have no statistics to back this up, but I'm quite confident this is > not a very common scenario for our users. > > > We can all imagine this behavior would be the wrong default for a > > server. But I didn't install server. I installed a desktop. > > Your machine being used as a desktop is no excuse for making it insecure > by default. > > > I didn't share all my files, the GUI already had me pick which > > folder(s) to share. I choose things like my music and my photo's. > > And wouldn't it be lovely if the MPAA browsed through your music and > your private photos landed on the internet somewhere? > > -- > Soren Hansen > Virtualisation specialist > Ubuntu Server Team > http://www.ubuntu.com/ >