Re: this is strange

[Dan Brosemer <odin@cleannorth.org>]

On Tue, Jul 31, 2001 at 03:55:43PM -0400, Deanna Maki wrote:
> I now have access to not only lauren's directory, but kathie's too.

Dee, it's FINE!  You _ALWAYS_ had access to them.  Good freaking luck
actually _doing_ anything in there, though.  Seriously... try to load up a
document or something... boom... permission denied.

Chris and I checked this out and all discussion copied the list.  Mystery
solved.

> This is getting weird.
> Is it just me?  What I am doing to cause this?

Likely.  Connecting to the share.  

Just go into Network Neighborhood, right click on it, and go 'disconnect' or
'unmap', or whatever it says if it bugs you.  

ssh in to obiwan and type 'chmod 700 .' if you want to prevent other people
from seing the filenames in your home directory if you really care about
that.

Here's some basic info:

$ ls -al /home/odin
total 29688
drwxr-xr-x  16 odin  odin       1024 Jul 31 16:03 ./
drwxr-xr-x  19 root  wheel       512 Jul 29 12:30 ../
-rw-r--r--   1 odin  odin         76 Jul 31 11:30 .battlestar_galactica_date
drwx--S---   2 odin  odin        512 Jul 10 12:33 .gnupg/
-rw-------   1 odin  odin        251 Jul 27 15:47 .lynx_cookies
-rw-------   1 odin  odin      14304 Mar  9 14:22 .lynxrc
-rw-r--r--   1 odin  odin         67 May  1 16:03 .mailcap
-rw-r--r--   1 odin  odin        105 Jun  9 18:10 .mailrc
-rw-------   1 odin  odin       2835 Jun 25 21:18 .micqrc
-rw-r--r--   1 odin  odin       1224 Jul 26 09:43 .mutt_aliases
-rw-r--r--   1 odin  odin      11642 Jul 26 21:58 .muttrc
-rw-r--r--   1 odin  odin       1940 Jun 16 13:46 .procmailrc
-rw-r--r--   1 odin  odin        254 Apr 25 14:51 .signature
drwxr-sr-x   2 odin  odin        512 Jun 20 22:57 .ssh/
-rw-------   1 odin  odin       3024 Jun 16 13:46 .viminfo
-rw-r--r--   1 odin  odin         49 Jul 26 18:41 .vimrc
-rw-r--r--   1 odin  odin         62 Mar 16 15:21 .wgetrc
-rw-r--r--   1 odin  odin         53 Mar 20 01:59 .zprofile
-rw-r--r--   1 odin  odin         61 Mar 20 01:59 .zshenv
-rw-r--r--   1 odin  odin       1998 Jul 10 12:45 .zshrc
drwxrwsr-x   5 odin  odin        512 Jul 26 18:42 Documents/
-rwx------   1 odin  odin        600 Jul 28 18:37 PUTTY.RND*
drwxrwsr-x   2 odin  odin        512 Jun 13 12:17 Projects/
drwx------  16 odin  odin        512 Jul  6 15:12 _gimp1.2/
drwxrwsr-x   3 odin  odin        512 Jun 22 22:53 backup/
drwxrwsr-x   2 odin  odin        512 Jul 24 23:57 bin/
drwxr-xr-x   2 odin  odin        512 Jul 26 01:20 f/
-rw-r--r--   1 odin  odin          0 Jul 31 16:03 foo
drwx------   2 odin  odin        512 Jul 31 15:57 mail/
drwx------   3 odin  odin        512 Dec 27  1999 netscape/
drwx--S---   2 odin  odin        512 Jul 24 01:37 pics/
-rw-------   1 odin  odin       4029 Jul 31 14:59 procmail.log
-rwx------   1 odin  odin     225280 Mar 13 20:38 putty.exe*
-rw-r--r--   1 odin  odin   14883736 Jul 30 17:22 q299444i.exe
drwxrwsr-x   2 odin  odin        512 Jul 30 14:28 seti/
drwxr-xr-x   3 odin  odin        512 Jun 23 20:17 sophos/
drwxr-xr-x   4 odin  odin        512 Jul 30 12:59 worms/

Files can have owners and groups, and each of owner, group, and everyone can
have certain permissions on files... so in the listing above, ignore the
first character, it tells you what type of file you're looking at.

Now, the next three characters are the owner... they go in order 'rwx'
That's read, write, execute.  So for everything in my home, I can read and
write at least.  Only programs and directories I can execute.

What does it mean to execute a directory?  To change into it, that's all.
Reading a directory is looking at its contents.  Writing is adding a file to
it.

Next is the group, notice how they're all group 'odin'.  That means I don't
have to worry about group permissions here.  I'm the only one in group
odin... but the next three characters would have been group permissions...
read, write, and execute again.

Next is everyone else.  read, write, and execute.  Sensitive data does not
have the read or execute flag high for the "everyone" class of people.  Just
for me, and my group, or just me.

If you were to open \\obiwan\odin, you'd see those files... if you opened
something sensitive like, oh, mail, it wouldn't let you.

Now, for files created on a windows machine, the _default_ is to _not_ let
the "Everyone" class of people view them... this is because Windows doesn't
have a concept of UNIX permissions, and so we can't set them properly... we
just have to assume that stuff is sensitive and the user can change the
permissions if it's not.

But your home directory was created when I made your account... on the UNIX
machine... and it's typical UNIX practice (I can't name any site that
_doesn't_ do this) to let other users view each others home directories.
Users are responsible from removing read perms from any file they want to be
kept secret.  (or typing 'umask 077' first).

So, yes... your home dir, and my home dir, and lauren's home dir, and
kathie's home dir, and jdew's home dir, etc. all have read and execute
permissions for all.

Viewing it in nethood is _nothing_.  Any user could just log in to obiwan at
a shell prompt and see the same things.  Therefore, I repeat, viewing the
contents of someone's home in nethood is _not_ a security issue.  Samba is
operating within the bounds of the UNIX permission structure.  If you found
a way to make it break that, you'd have found something.  As it is, maybe
you've found a minor annoyance, but really, the further discussion of this
topic is far more annoying than an extra share or two in your NetHood.

-Dan

-- 
"There are two limits that this standard places on the number of
characters in a line. Each line of characters MUST be no more than
998 characters, and SHOULD be no more than 78 characters, excluding
the CRLF."       -- rfc2822 - Internet Message Format