[oe-commits] [meta-openembedded] 01/06: samba: disable guest access and anonymous queries

git at git.openembedded.org git at git.openembedded.org
Wed Dec 25 16:57:37 UTC 2019 

This is an automated email from the git hooks/post-receive script.

khem pushed a commit to branch master-next
in repository meta-openembedded.

commit f29dfed64a56c9d952d18139d74adc1574ff79f4
Author: Trevor Gamblin <trevor.gamblin at windriver.com>
AuthorDate: Mon Dec 23 19:55:43 2019 -0500

    samba: disable guest access and anonymous queries
    
    Guest accounts for Samba are a known potential vulnerability
    (see https://www.tenable.com/plugins/nessus/26919) where info
    about the host can be obtained without proper access. The option
    "map to guest = bad user" allows login attempts with usernames
    that don't exist to map to the guest account, while the
    "restrict anonymous" value (implicitly set to 0 before this patch)
    would allow any queries to obtain user and group list information.
    
    Raise the default security level by setting "restrict anonymous"
    to "1" and "map to guest" to "never" to avoid providing user/group
    info to unauthenticated users and reject login attempts with an
    invalid password, respectively.
    
    Signed-off-by: Trevor Gamblin <trevor.gamblin at windriver.com>
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
---
 meta-networking/recipes-connectivity/samba/samba/smb.conf | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/meta-networking/recipes-connectivity/samba/samba/smb.conf b/meta-networking/recipes-connectivity/samba/samba/smb.conf
index a0b87c3..d6bde41 100644
--- a/meta-networking/recipes-connectivity/samba/samba/smb.conf
+++ b/meta-networking/recipes-connectivity/samba/samba/smb.conf
@@ -25,6 +25,10 @@
 
 ## Browsing/Identification ###
 
+# Prevent anonymous connections. Overriden if the user sets guest ok = yes 
+# on any share
+   restrict anonymous = 1
+
 # Change this to the workgroup/NT-domain name your Samba server will part of
    workgroup = WORKGROUP
 
@@ -114,7 +118,7 @@
 
 # This option controls how unsuccessful authentication attempts are mapped
 # to anonymous connections
-   map to guest = bad user
+   map to guest = never
 
 ########## Domains ###########
 

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Openembedded-commits mailing list