[prev in list] [next in list] [prev in thread] [next in thread]
List: samba-vms
Subject: RE: Connecting to \\SERVER\system by any user
From: David Taubner <DTaubner () exchange ! hsc ! mb ! ca>
Date: 2000-06-12 13:42:33
[Download RAW message or body]
Hi, Claude Marinier and all others who responded in a similar manner.
To clarify - as I stated in my message - without "valid users = %S" in the
[Homes] section of "Smb.conf" ANY user's directory can be mounted and
viewed. I did not check if I could create files, but I did open files and
read them with a Windows editor. I believe I had full access. Here's how
it goes (VMS for Alpha v6.2-1h, Samba v2.0.3, NT4 service pack 5):
My Authorize entry - username=Netuser, "flag=disuser", "priv &
defpriv=exquota,grpprv,netmbx,tmpmbx", "UIC=[200,200]", "network access only
(No interactive, batch etc)", "password=thispassword".
I use Explorer to mount my "Netuser" file share "\\VMS\netuser" - I get
asked for the username & password - after giving correct information
(Netuser/thispassword), the file share is mounted.
As system administrator I happen to know of some other usernames in
Authorize, say CMarinier, "UIC=[1,11]", who has privileges, but whose
password I do not know.
I now use Explorer to mount a second network drive "\\VMS\cmarinier" - I am
NOT asked for a username or password, but your login directory as specified
in authorize now appears, and I am able to read ANY of your files or
subdirectories...
I hope this clarifies the situation.
David Taubner
Systems Administrator
Health Sciences Centre
-----Original Message-----
From: claude.marinier@DREO.DND.CA [mailto:claude.marinier@DREO.DND.CA]
Sent: Monday, June 05, 2000 9:17 AM
To: David Taubner
Cc: Multiple recipients of list SAMBA-VMS
Subject: RE: Connecting to \\SERVER\system by any user
Hi,
I just checked SYS$SYSTEM on a VMS 7.1 system. A number of command files
in there have WORLD:RE and welcome text files have WORLD:R. Any user on
the system can see those files. This is what I expected to see; this is
normal.
Did you take steps to block access to SYS$MANAGER? If so, did you use ACLs
to do it? What does the following command show?
DIR /SEC SYS$MANAGER:CDE$STARTUP.COM
On Mon, 5 Jun 2000, David Taubner wrote:
> I believe you may not be clear on what is actually happening. We are
> talking about a non-privileged user (NETMBX,TMPMBX,EXQUOTA), and a UIC
such
> as [360,1]. If logged into VMS this user can see nothing, do nothing.
They
> cannot even do a directory of Sys$Manager or anyone else's files. Logging
> in through Samba gives them access to any directory by mapping a drive as
> someone's username. Ex: After mapping their home directory with the above
> account (username & password), they can then map \\share\SYSTEM\ and get
> access to Sys$manager - or ANY OTHER DIRECTORY mapped to the username they
> mention as a network path - just give a valid username - no more questions
> asked... Putting 'valid users = %S' in [homes] is the only way to prevent
> this from happening.
--
Claude Marinier, Information Technology Group claude.marinier@dreo.dnd.ca
Defence Research Establishment Ottawa (DREO) (613) 998-4901 FAX 998-2675
3701 Carling Avenue, Ottawa, Ontario K1A 0Z4 http://www.dreo.dnd.ca
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic