Ubuntu
gnome-system-tools package

Default SAMBA configuration allows guest access unexpectedly

Bug #180251 reported by tweedledee
256
Affects Status Importance Assigned to Milestone
gnome-system-tools (Ubuntu)
Expired
Low
Unassigned

Bug Description

Binary package hint: samba

Using Gutsy (7.10), the default SAMBA configuration (in /etc/samba/smb.conf) allows guest (non-authenticated) logins to a share. This effectively means that, by default, all shares configured using the limited GUI tool are world-readable. As this behavior is not indicated nor expected, and the resulting ports are now open to all users, this is a security problem (in the sense of privacy and unintentional exposure of data, not having the system taken over). Use of smbpasswd, etc., control access using the terminal (e.g., smbclient), but the Nautilus "Places -> Network" feature does not authenticate (see bug #119774, https://bugs.launchpad.net/ubuntu/+source/gnome-vfs2/+bug/119774). The user accounts and passwords still dictate who has write access to the shares via Nautilus, but not read. Moreover, it is not apparent which combination of "security" and "guest" settings in smb.conf are necessary to lock out the guest account. I'm not certain if this was an issue in prior releases.

Steps to replicate:
1. Configure computer A to have a SAMBA shared folder, using System -> Administration -> Shared Folders
2. On computer B, using Places -> Network, browse to or enter the address of Computer A's share
3. Note that, without authenticating (possibly without even setting up a SAMBA user account using smbpasswd), all files in the share are readable, but not writable.

Revision history for this message
Steve Langasek (vorlon) wrote :

> Using Gutsy (7.10), the default SAMBA configuration (in /etc/samba/smb.conf) allows guest (non-authenticated) logins to a share.

Actually, no, it doesn't. By default, all samba shares are available only to authenticated users; changing this default requires explicitly setting 'guest ok = yes' (or 'public = yes') in smb.conf.

This is a bug in shares-admin, which explicitly marks all shares as guest-accessible. Reassigning to gnome-system-tools.

Changed in samba:
status: New → Confirmed
Revision history for this message
tweedledee (terrywatt-deactivatedaccount) wrote :

I'd just like to point out that the severity of this bug is made worse in Hardy by the removal of all centralized options for configuring shares (at least on the menus - obviously you can still run shares-admin manually if you know it exists). As shares-admin is actually quite useful for configuring shares, that seems like a step backward to make this (still true) problem even worse, since your average user won't have the slightest idea this is occuring, or if so what tool to use to change the option.

Revision history for this message
Steve Langasek (vorlon) wrote :

Well, if someone has created a share with shares-admin and it was set guest ok = yes by that tool in pre-hardy versions, then they're affected by this bug; we don't have a fix for this problem in shares-admin yet, so I think hiding shares-admin is an altogether appropriate mitigation strategy so that even more users don't stumble into this misconfiguration.

Kees Cook (kees)
Changed in gnome-system-tools (Ubuntu):
importance: Undecided → Low
Revision history for this message
Pedro Villavicencio (pedro) wrote :

Thanks for the report tweedledee , It has been a long time without any comment or a duplicate in this bug report and It is possible that the bug has been fixed. May you please try to reproduce it with the latest Stable Release of Ubuntu the Natty Narwhal and add the respective comments to the report? You can learn how to get that release at http://www.ubuntu.com/download . Thanks again and we appreciate your help.

Changed in gnome-system-tools (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Pedro Villavicencio (pedro) wrote :

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to "New". Thanks again!

Changed in gnome-system-tools (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.