summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/textdocs/UNIX_INSTALL.txt7
-rw-r--r--docs/textdocs/UNIX_SECURITY.txt50
2 files changed, 55 insertions, 2 deletions
diff --git a/docs/textdocs/UNIX_INSTALL.txt b/docs/textdocs/UNIX_INSTALL.txt
index 43d71b099e..424cc490ce 100644
--- a/docs/textdocs/UNIX_INSTALL.txt
+++ b/docs/textdocs/UNIX_INSTALL.txt
@@ -1,10 +1,10 @@
!==
-!== UNIX_INSTALL.txt for Samba release 1.9.18 08 Jan 1998
+!== UNIX_INSTALL.txt for Samba release 1.9.18p8 13 Jun 1998
!==
Contributor: Andrew Tridgell <samba-bugs@samba.anu.edu.au>
Date: Unknown
Status: Current
-Updated: August 25, 1997
+Updated: July 5, 1998 <jht@samba.anu.edu.au>
Subject: HOW TO INSTALL AND TEST SAMBA
===============================================================================
@@ -79,6 +79,9 @@ in the Makefile for the logs etc, such as /usr/local/samba.
Make sure you put the smb.conf file in the same place you specified in
the Makefile.
+For more information about security settings for the [homes] share please
+refer to the document UNIX_SECURITY.txt
+
STEP 4. Test your config file with testparm
It's important that you test the validity of your smb.conf file using
diff --git a/docs/textdocs/UNIX_SECURITY.txt b/docs/textdocs/UNIX_SECURITY.txt
new file mode 100644
index 0000000000..86afeac8fa
--- /dev/null
+++ b/docs/textdocs/UNIX_SECURITY.txt
@@ -0,0 +1,50 @@
+Contributor: John H Terpstra <jht@samba.anu.edu.au>
+Date: July 5, 1998
+Status: Current
+
+Subject: SETTING UNIX FILE SYSTEM SECURITY
+===============================================================================
+The following excerpt from a bug report demonstrates the need to
+understand Unix file system security and to manage it correctly.
+
+Quote:
+======
+> We are unable to keep individual users from mapping to any other user's
+> home directory once they have supplied a valid password! They only need
+> to enter their own password. I have not found *any* method that I can
+> use to configure samba to enforce that only a user may map their own
+> home directory.
+>
+> User xyzzy can map his home directory. Once mapped user xyzzy can also map
+> *anyone* elses home directory!
+
+ANSWER:
+=======
+This is not a security flaw, it is by design. Samba allows
+users to have *exactly* the same access to the UNIX filesystem
+as they would if they were logged onto the UNIX box, except
+that it only allows such views onto the file system as are
+allowed by the defined shares.
+
+This means that if your UNIX home directories are set up
+such that one user can happily cd into another users
+directory and do an ls, the UNIX security solution is to
+change the UNIX file permissions on the users home directories
+such that the cd and ls would be denied.
+
+Samba tries very had not to second guess the UNIX administrators
+security policies, and trusts the UNIX admin to set
+the policies and permissions he or she desires.
+
+Samba does allow the setup you require when you have set the
+"only user = yes" option on the share, is that you have not set the
+valid users list for the share.
+
+Note that only user works in conjunction with the users= list,
+so to get the behavior you require, add the line :
+
+user = %S
+
+to the definition of the [homes] share, as recommended in
+the smb.conf man page.
+