Security concerns (Samba)

giner · Beitrag von **giner** » 06 Mär 2015, 09:12

Hello,

Please tell me if I get it wrong.

opsi_depot_rw, opsi_images, opsi_config and opsi_workbench shares are writable for pcpatch user. So if a PC user (this can be virus or trojan) catches pcpatch password while opsi-client-agent communicates with Samba server then the whole infrastructure is in danger? It seems pcpatch should only be able to write some logs but nothing more. Am I missing something?

Best regards,
Stanislav

giner · Beitrag von **giner** » 06 Mär 2015, 13:09

Hello,

I have found the answer following http://download.uib.de/opsi4.0/doc/html ... ty-pcpatch.
Why is this not default?

Best regards,
Stanislav German-Evtushenko

n.wenselowski · Beitrag von **n.wenselowski** » 09 Mär 2015, 10:13

Hello Stanislav,

only the Samba share can be accessed - accessing other parts of opsi is not possible.
Writing logs is done through the webservice.

I can't tell you why it isn't the default. Has been like that for longer than I am working with opsi. But I like to idea of it so I created an internal ticket that it might be changed.
This has to be done with care because I know that quite a lot of opsi administrators access their shares not with dedicated users but with pcpatch.

With kind regards

Niko

giner · Beitrag von **giner** » 09 Mär 2015, 12:04

Hi Niko,

If we chose one of suggested solutions I would adopt that one:

...
Deny for the user pcpatch the access to all other shares than the opsi_depot share. You should do this by adding the following entry to all share definitions (besides the opsi_depot) at the /etc/samba/smb.conf:
Code: Alles auswählen
invalid users = root pcpatch
...

Best regards,
Stanislav

forum.opsi.org

Security concerns (Samba)

Security concerns (Samba)

Re: Security concerns (Samba)

Re: Security concerns (Samba)

Re: Security concerns (Samba)