[oe] [meta-networking][PATCH] samba: disable guest access and anonymous queries

Trevor Gamblin trevor.gamblin at windriver.com
Tue Dec 24 00:55:43 UTC 2019


Guest accounts for Samba are a known potential vulnerability
(see https://www.tenable.com/plugins/nessus/26919) where info
about the host can be obtained without proper access. The option
"map to guest = bad user" allows login attempts with usernames
that don't exist to map to the guest account, while the
"restrict anonymous" value (implicitly set to 0 before this patch)
would allow any queries to obtain user and group list information.

Raise the default security level by setting "restrict anonymous"
to "1" and "map to guest" to "never" to avoid providing user/group
info to unauthenticated users and reject login attempts with an
invalid password, respectively.

Signed-off-by: Trevor Gamblin <trevor.gamblin at windriver.com>
---
 meta-networking/recipes-connectivity/samba/samba/smb.conf | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/meta-networking/recipes-connectivity/samba/samba/smb.conf b/meta-networking/recipes-connectivity/samba/samba/smb.conf
index a0b87c373..d6bde417f 100644
--- a/meta-networking/recipes-connectivity/samba/samba/smb.conf
+++ b/meta-networking/recipes-connectivity/samba/samba/smb.conf
@@ -25,6 +25,10 @@
 
 ## Browsing/Identification ###
 
+# Prevent anonymous connections. Overriden if the user sets guest ok = yes 
+# on any share
+   restrict anonymous = 1
+
 # Change this to the workgroup/NT-domain name your Samba server will part of
    workgroup = WORKGROUP
 
@@ -114,7 +118,7 @@
 
 # This option controls how unsuccessful authentication attempts are mapped
 # to anonymous connections
-   map to guest = bad user
+   map to guest = never
 
 ########## Domains ###########
 
-- 
2.24.1



More information about the Openembedded-devel mailing list