Bug 977 - [homes] and static share
Summary: [homes] and static share
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: File Services (show other bugs)
Version: 3.0.0
Hardware: All Linux
: P2 minor
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact:
URL: http://forums.whirlpool.net.au/forum-...
Depends on:
Blocks: 807
  Show dependency treegraph
Reported: 2004-01-16 04:18 UTC by Keith Kube
Modified: 2005-11-14 09:25 UTC (History)
1 user (show)

See Also:

don't create the home directory if a static share already exists (991 bytes, patch)
2004-01-27 07:20 UTC, Gerald (Jerry) Carter (dead mail address)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Keith Kube 2004-01-16 04:18:24 UTC
Can access [homes] share - even when "invalid users" set.  - security 

Reproduced in version: 3.0.2pre1 

Tried to find other installations doing similar things, and couldn't.

Lets say there are 2 linux users - masters and keith.

There are 2 shares 
[homes] sharing /homes/<username> - which accesses the logged on user's linux 
home directory

[masters] sharing /disk1/masters - which is readable by all users, updateable 
by masters. This directory has linux permissions for _user_ masters to update.

With Redhat 8, and samba version 2.something
_user_ keith had read access to a samba share masters (/disk1/masters). 
_user_ keith also had full access to the homes share (/home/keith shared as 
keith) - setup via the netlogon script - net use u: /home /yes
_user_ masters had full access to samba masters (/disk1/masters)
_user_ masters had no access to a homes directory. This was blocked by the 
named masters share.

This was good, as the user masters was an "admin" type user, and only used to 
update software in the masters directory.

With mostly patched Fedora, and samba 3.0.0-15
_user_ keith still has access to both shares (masters and "keith" as above)
_user_ masters only has access to homes "masters" (/home/masters)

I now have to use a different mechanism to update the files stored 
in /disk1/masters.  (I'd rather not but ...)

I have just replicated the same problem with the most recent version of samba 

Things I have tried.

0. RTFM 
0.5 - RTF mailing lists
0.75 - RTF bug reports
1. swapping order of [homes] share and [masters] share - no effect
2. Posting a copy of this request for help to the samba general mailing list - 
no response.
3. placing the _user_ masters in the invalid list for the shares directory. 
User masters _still_ has access to the homes share (/disk1/homes/masters)

According to the online swat documentation "This is really a *paranoid* check 
to absolutely ensure an improper setting does not breach your security." So I 
should *not* have had access to /home/masters with this configuration.

With this documentation, and the test I have just run, I will soon be loging a 
security vulnerability bug with samba.

with the config file from above with the new homes section now looking like 
comment = Home Directories
invalid users = masters
read only = No
browseable = No

and a slightly updated masters section looking like
comment = Master Files
path = /disk1/masters
write list = masters, keith
guest ok = Yes

Really strange thing though.
_Before_ I made masters an invalid user on [homes], in windows explorer the 
description of _masters_ when logged in as masters was "Home Directories" - 
fair enough.
Now that masters is an _invalid_ user for the [homes] share, the descriptive 
text is "Master Files", but clicking on the directory takes you 
to /homes/masters. - bizarre.

Previous posting to whirlpool discussion groups and to samba general discussion 
User share is preventing access to static share.
How do I fix?

User (masters) with home directory (/home/masters) the same name as a permanent 
share (masters - /disk1/masters) is picking up the 'home' share /home/masters 
directory instead of the 'masters' share.

All other users mapping to share masters pick up the correct 
folder /disk1/masters. Only user masters is getting the incorrect (to my way of 
thinking) folder.

Previously I was running redhat 8.0 with samba 2.something, and this was 
working fine.

User Masters was the only user allowed to update a masters directory.

All other users had read only permission to the masters directory and all was 
This is per the documentation for samba 2.0 included in the swat application.

I have recently rebuilt the linux server, which is now on fedora 1 samba 
version: 3.0.0-15. 
I copied the directories section of smb.conf from the old installation to the 
new installation. 
Directory structure for samba shared files are very similar.

Windows Client is running win98se, logging onto the samba domain.

Just for the record
# Samba config file created using SWAT
# from (
# Date: 2004/01/13 22:11:41

# Global parameters
workgroup = MONASH
server string = Samba Server
guest account = guest
unix password sync = Yes
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
logon script = logon.bat
domain logons = Yes
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap ssl = no
homedir map = /home/%U
hosts allow = 192.168.0., 127.

comment = Home Directories
read only = No
guest ok = Yes
browseable = No


path = /disk1/masters
guest ok = Yes


comment = Logon Directory
path = /etc/samba/netlogon
guest ok = Yes

echo Setting Current Time...
net time \\junior /set /yes
echo Mapping Network Drives to Samba Server Junior ...
net use u: /home /yes
net use x: \\junior\masters /yes
net use p: \\junior\public /yes
net use z: \\junior\masters /yes
Comment 1 Keith Kube 2004-01-16 04:20:56 UTC
Copy and paste error - 
"With this documentation, and the test I have just run, I will soon be loging a 
security vulnerability bug with samba."
No I won't.  This line should have been removed before pasting into this bug 
Comment 2 Gerald (Jerry) Carter (dead mail address) 2004-01-27 07:20:27 UTC
Created attachment 368 [details]
don't create the home directory if a static share already exists
Comment 3 Gerald (Jerry) Carter (dead mail address) 2004-01-27 07:20:46 UTC
Fixed checked into CVS
Comment 4 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:16:18 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.
Comment 5 Gerald (Jerry) Carter (dead mail address) 2005-11-14 09:25:13 UTC
database cleanup