forum.opsi.org

Hello,

Please tell me if I get it wrong.

opsi_depot_rw, opsi_images, opsi_config and opsi_workbench shares are writable for pcpatch user. So if a PC user (this can be virus or trojan) catches pcpatch password while opsi-client-agent communicates with Samba server then the whole infrastructure is in danger? It seems pcpatch should only be able to write some logs but nothing more. Am I missing something?

Best regards,
Stanislav

Hello,

I have found the answer following http://download.uib.de/opsi4.0/doc/html ... ty-pcpatch.
Why is this not default?

Best regards,
Stanislav German-Evtushenko

Hello Stanislav,

only the Samba share can be accessed - accessing other parts of opsi is not possible.
Writing logs is done through the webservice.

I can't tell you why it isn't the default. Has been like that for longer than I am working with opsi. But I like to idea of it so I created an internal ticket that it might be changed.
This has to be done with care because I know that quite a lot of opsi administrators access their shares not with dedicated users but with pcpatch.


With kind regards

Niko

Hi Niko,

If we chose one of suggested solutions I would adopt that one:

...
Deny for the user pcpatch the access to all other shares than the opsi_depot share. You should do this by adding the following entry to all share definitions (besides the opsi_depot) at the /etc/samba/smb.conf:

Code: Alles auswählen

invalid users = root pcpatch

...

Best regards,
Stanislav