The Samba-Bugzilla – Bug 7549
No error given when accessing share belongs to other user after successful authentication
Last modified: 2010-07-05 03:42:35 UTC
No error given when accessing share belongs to other user after authentication.
Even though the content shown is belong to yourself (the authenticated user) but this give impression to the end-user (the non-IT-user of course) that they can actually access other people files.
Server OS: CentOS 5.4
Client OS: Win7 and WinXP
Samba: 3.5.3 and 3.5.4 (tried on 3.5.3 and upgrade to 3.5.4, problem persist)
workgroup = myWorkgroup
security = user
passdb backend = tdbsam
passwd program = /usr/bin/passwd %u
unix password sync = Yes
passwd chat debug = yes
passwd chat timeout = 10
log level = 10
max log size = 50
debug timestamp = yes
browseable = no
writable = yes
valid users = %U
force user = %U
path = %H
Step to reproduce:
1. On the server, create 2 different users (i.e. user1 and user2) and create a password for the samba using smbpasswd
2. On the client, type in "\\ipaddress" from Windows Start->Run, type in user id and password for user1.
3. The explore will show you a folder user1 (Note: only user1).
4. On the client, type in "\\ipaddress\user2" from Windows Start->Run
The explorer will show \\ipaddress\user2 in the address bar but the content shown comes from \\ipaddress\user1.
When we enter \\ipaddress\user2, the explorer shall give an error as user2 folder shall not be accessible by user1.
5. After this when I try to access by typing \\ipaddress from Start->Run, I could see 2 folders user1 and user2.
6. From now on, you always see 2 folders (user1 and user2).
I have sniffed the traffic and check the NetShareEnumAll response and unfortunately the server did return user1 and user2, so this is not a problem on WinXP or Win7.