Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

A warning about SMB sharing and file security Network
I have a Mac which is file sharing over the Internet, and it has various users set up on it. When a Mac user connects via AFP, they use their username and password to log in, and then they can access only their own user folder.

If I connect via SMB from my Mac, I can only see the user's home folder ... but if a Linux user connects via SMB, they can see everything on the whole machine.

So it seems that Panther's SMB server incorrectly shares the whole machine, and its SMB client doesn't work the way other clients do and fails to alert you to this problem.

[robg adds: I can't test this one here; if anyone can confirm, this sounds like at least a bit of a security hole...]

    •    
  • Currently 1.67 / 5
  You rated: 1 / 5 (3 votes cast)
 
[12,385 views]  

A warning about SMB sharing and file security | 10 comments | Create New Account
Click here to return to the 'A warning about SMB sharing and file security' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
A warning about SMB sharing and file security
Authored by: fenner on Jan 19, '04 12:05:38PM
You can check what shares others will see from your own mac, using
smbclient -L yoursystemname
For example, I have the default setup with an additional share ("Mirrors") configured with SharePoints, and the smbclient -L command returns:

        Sharename      Type      Comment
        ---------      ----      -------
        Mirrors        Disk      
        IPC$           IPC       IPC Service (Mac OS X)
        ADMIN$         IPC       IPC Service (Mac OS X)
        _135.197.17.2  Printer   Brother
        Bluetooth-Mod  Printer   Bluetooth-Modem
        Bluetooth-PDA  Printer   Bluetooth-PDA-Sync
        HylaFAX_on_fe  Printer   HylaFAX on fenestro.attlabs.att.com
        Internal_Mode  Printer   Internal Modem
        lp_on_fenestr  Printer   lp on fenestro.attlabs.att.com
        mp-105_on_big  Printer   mp-4500-105
        photosmart_73  Printer   photosmart 7350
        printer_on_13  Printer   mp-8100-162
        fenner         Disk      User Home Directories
As you can see, it is advertising my Mirrors share, a couple of IPC services, all of my printers and my home directory. (It is showing my home directory because I entered my SMB password to smbclient). Can your friend share the SMB share name that he connected to to see your whole computer? I tried the common default, "root", and that didn't work:

forbin% smbclient //forbin/root
Password: 
smb: \> ls
NT_STATUS_NETWORK_ACCESS_DENIED listing \*

                0 blocks of size 0. 0 blocks available


[ Reply to This | # ]
A warning about SMB sharing and file security
Authored by: jesboat on Jan 19, '04 02:08:46PM

This seems really odd, because OS X uses Samba for filesharing, and most Linux distros also use Samba for file-sharing.

---
--
With no walls or fences on the 'net, who needs Windows or Gates?



[ Reply to This | # ]
A warning about SMB sharing and file security
Authored by: hopthrisC on Jan 19, '04 03:39:18PM

Since I cannot reproduce that on a freshly installed box (which I didn't expect anyways!), I strongly believe that you yourself did something to the Samba config that brought about that behaviour you describe.

What commands did you actually use to "connects via SMB"?

Plus: even that you can /see/ the homes of every User on the system doesn't mean you can do anything with their data... The files are still protected by the basic UN*X permissions! (Unless you have connected with superuser privileges, in which case you really have other problems than seeing anybodies home directory).



[ Reply to This | # ]
A warning about SMB sharing and file security
Authored by: gorefest on Jan 19, '04 03:42:04PM

actually you limit the access to the machine and the homes over /etc/smb.conf
to limit the home folder access, you need to set "valid users = %S" in the [homes] section, but be aware that this samba option is broken in 3.0, and was fixed in 3.0.1, which unfortunately apple didn't integrate yet so you need to install it over fink or by yourself...



[ Reply to This | # ]
A warning about SMB sharing and file security
Authored by: Techaholic on Jan 19, '04 04:44:18PM

I found and reported this problem to Apple back in November along with the samba issue where Windows XP can see the entire Mac OS X hard drive with full read/write permission. To my knowledge, Apple has not fixed these issues yet.



[ Reply to This | # ]
SMB sharing and file security - workaround?
Authored by: chris_on_hints on Jan 19, '04 05:08:42PM

Ive not seen this with my machine (10.2.6-10.3.2) - I have homes and other selected SMB shares set up (using 'SharePoints') and connect all the time from an XP Pro machine. I have never even seen access to the harddrive, let alone being able to put/get files from 'unauthorised' places.

I did notice a large number of entries in my samba log from computers trying to gain access through my broadband, usually once every three minutes, so I have blocked access using my firewall (Brickwall) to external machines, allowing only local LAN access. I could have done this in samba:
(see "man smb.conf" using 'hosts allow = my.friend.ip' or 'interfaces = en1')
... but thought the firewall would be safer. Maybe a workaround like this is the order of the day??

Also, as a previous comment mentioned, surely samba runs within the UNIX access restrictions so a remote 'guest' would have the same access rights (ie = 'public' folders etc) as a local one.....?



[ Reply to This | # ]
SMB sharing and file security - workaround?
Authored by: dave9999zzzz on May 03, '04 12:50:33AM

Chris,

-----------------
Ive not seen this with my machine (10.2.6-10.3.2) - I have homes and other selected SMB shares set up (using 'SharePoints') and connect all the time from an XP Pro machine. I have never even seen access to the harddrive, let alone being able to put/get files from 'unauthorised' places.
-----------------

How did you get this to work? I have sharepoints set up on my home MAC (connected to a cable modem via a router with the correct ports opened). My MAC friends can connect via afp to these shares from their homes, using the limited filing sharing only user name and password I set up in sharepoints. one folder is read only permissions. one folder is write only permissions (i.e. a drop box).

But my MAC and PC friends cannot get this to work over smb. They can mount the drop box, but, if they try to drag anything into it, they don't get the expected "you won't see the results of this operation" message (followed being able to do it) they do when using afp.

Instead, when using smb they get a message saying something like "you do not have sufficient access privileges."

Share mode is "user". I want it that way so they first enter their user and password, followed by a choice of volumes to mount.

Any idea why it might not be working, or whether you did anything magical to get it to work?

Did you perhaps upgrade samba 3.0 (that comes with panther) to a newer version?

Thank you in advance for any help you can provide.


Dave



[ Reply to This | # ]
SMB sharing and file security - workaround?
Authored by: chris_on_hints on May 03, '04 11:14:15AM

Dave -
I kept having all kinds of problems with authentication. It seems that windows insists on sending the username and password of the windows account (at least in XP Pro). A password box will appear when trying to access a SMB share from the XP machine. It doesnt matter if you enter the correct username/pwd combination - you still get privelage problems. It seems that windows just doesnt send the username/pwd that you type in (or at least it sends it, but in the wrong format). My solution was to use the SAME username and password on both machines. The password box never appears and you have no problems with authentication.

This is only an option for people like me with amazingly simple networks - i have a mac and a pc connected by a single cable!!

Maybe you should set up a couple of 'dummy' users on the mac to mirror the account settings on the PCs and use their home directories as shares. If you set their UID's to less than 500 they wont show up in the login window list, and they can be set up with minimum privelages etc....



[ Reply to This | # ]
I have NOT been able to reproduce on default install + apple updates as of yet.
Authored by: Akitarou on Jan 19, '04 05:34:18PM
I am also not able to reproduce this by means of connecting to my 10.3.2 systems with sharing via SMB running---not from Linux, not from Windows; the default shares seem to be just dandy in the sense of being secure. Exactly what commands were used to supposedly get access to your full hard drive? And are you sure you system has not been tampered with?

[ Reply to This | # ]
A warning about SMB sharing and file security
Authored by: mbanks on Jan 21, '04 05:44:02PM

Just to add my tally mark here:

I noticed this a while ago (a month maybe?) while setting up SMB so my wife could save things from her WinME laptop to our G4 (if you've ever used WinME - you know why). When I finally figured out how to get it working, I was able to not only see and edit all her stuff, I could see and edit all MY stuff which I couldn't do from an APF or ftp connection (or while logged on to the console or if I was ssh'd into the machine.)

I've gotta believe that something is jacked in their SMB implementation. Now, admittedly, we're both admins of the machine, but the other protocols respect the permissions.

FWIW, this is an upgraded machine.

10.2 clean install --> usual 10.2.x updates from SW updates --> upgrade to 10.3 beta --> upgrade to 10.3 GM

I have no idea if that affects anything.



[ Reply to This | # ]