Updating Unix installation notes.

(This used to be commit 4ffbdcbddff3094a8635527218f0f4a7974d8e4d)

2 files changed, 55 insertions, 2 deletions

diff --git a/docs/textdocs/UNIX_INSTALL.txt b/docs/textdocs/UNIX_INSTALL.txt
index 43d71b099e..424cc490ce 100644
--- a/docs/textdocs/UNIX_INSTALL.txt
+++ b/docs/textdocs/UNIX_INSTALL.txt
@@ -1,10 +1,10 @@
 !==
-!== UNIX_INSTALL.txt for Samba release 1.9.18 08 Jan 1998
+!== UNIX_INSTALL.txt for Samba release 1.9.18p8 13 Jun 1998
 !==
 Contributor:	Andrew Tridgell <samba-bugs@samba.anu.edu.au>
 Date:		Unknown
 Status:		Current
-Updated:	August 25, 1997
+Updated:	July 5, 1998	<jht@samba.anu.edu.au>
 
 Subject:	HOW TO INSTALL AND TEST SAMBA
 ===============================================================================
@@ -79,6 +79,9 @@ in the Makefile for the logs etc, such as /usr/local/samba.
 Make sure you put the smb.conf file in the same place you specified in
 the Makefile.
 
+For more information about security settings for the [homes] share please
+refer to the document UNIX_SECURITY.txt
+
 STEP 4. Test your config file with testparm
 
 It's important that you test the validity of your smb.conf file using
diff --git a/docs/textdocs/UNIX_SECURITY.txt b/docs/textdocs/UNIX_SECURITY.txt
new file mode 100644
index 0000000000..86afeac8fa
--- /dev/null
+++ b/docs/textdocs/UNIX_SECURITY.txt
@@ -0,0 +1,50 @@
+Contributor:	John H Terpstra <jht@samba.anu.edu.au>
+Date:		July 5, 1998
+Status:		Current
+
+Subject:	SETTING UNIX FILE SYSTEM SECURITY
+===============================================================================
+The following excerpt from a bug report demonstrates the need to
+understand Unix file system security and to manage it correctly.
+
+Quote:
+======
+> We are unable to keep individual users from mapping to any other user's
+> home directory once they have supplied a valid password! They only need
+> to enter their own password. I have not found *any* method that I can
+> use to configure samba to enforce that only a user may map their own
+> home directory.
+> 
+> User xyzzy can map his home directory. Once mapped user xyzzy can also map
+> *anyone* elses home directory!
+
+ANSWER:
+=======
+This is not a security flaw, it is by design. Samba allows
+users to have *exactly* the same access to the UNIX filesystem
+as they would if they were logged onto the UNIX box, except
+that it only allows such views onto the file system as are
+allowed by the defined shares.
+
+This means that if your UNIX home directories are set up
+such that one user can happily cd into another users
+directory and do an ls, the UNIX security solution is to 
+change the UNIX file permissions on the users home directories
+such that the cd and ls would be denied.
+
+Samba tries very had not to second guess the UNIX administrators
+security policies, and trusts the UNIX admin to set
+the policies and permissions he or she desires.
+
+Samba does allow the setup you require when you have set the
+"only user = yes" option on the share, is that you have not set the
+valid users list for the share.
+
+Note that only user works in conjunction with the users= list,
+so to get the behavior you require, add the line :
+
+user = %S
+
+to the definition of the [homes] share, as recommended in
+the smb.conf man page.
+