[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: at-boot smbmount security.
- To: linux-il(at-nospam)linux.org.il
- Subject: Re: at-boot smbmount security.
- From: "Nadav Har'El" <nyh(at-nospam)math.technion.ac.il>
- Date: Sun, 12 Aug 2001 17:49:40 +0300
- Delivered-To: linux.org.il-linux-il@linux.org.il
- Hebrew-Date: 23 Av 5761
- In-Reply-To: <m3g0axuz3y.fsf@localhost.localdomain>; from ogoldshmidt@computer.org on Sun, Aug 12, 2001 at 05:33:37PM +0300
- References: <m3g0axuz3y.fsf@localhost.localdomain>
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
- User-Agent: Mutt/1.2i
On Sun, Aug 12, 2001, Oleg Goldshmidt wrote about "at-boot smbmount security.":
> I have a number of W2K and Linux machines, and I would like to
> smbmount W2K shares on the Linux boxes, at boot time.
>..
> to /etc/fstab, but I am concerned that there will be a cleartext
> password in the file.
Well, one obvious solution is to have /etc/fstab readable only for root.
But whether this is good for you depends on why you're concerned about the
password: if because you're afraid other users will see it, this solution is
good for you. If it is because you're afraid a cracker breaking in to your
machine and will be able to "advance" to the W2K machine, this solution is no
good.
> Can anyone with more samba experience than me (not a big achievement,
> mind you :) suggest the proper (read: a secure) way to do this. So far
> I came up with an idea to create a restricted user on each W2K
> specifically to mount shares from linux, so that the real W2K accounts
> will not be compromised. I am not sure it's the right solution though
> (comments?).
If you trust the security of the W2K machine more than you trust the Linux
machine (or, equivalently, the security of the W2K is more important to you
than the security of the Linux machine), then creating a fake user in W2K
with only limited permissions (as much as that is possible at all in Windows)
is the best solution, as far as I can see.
If, on the other hand, you trust/care-about the security of the Linux machine
more, than the unreadable /etc/fstab solution is good and simpler.
--
Nadav Har'El | Sunday, Aug 12 2001, 23 Av 5761
nyh@math.technion.ac.il |-----------------------------------------
Phone: +972-53-245868, ICQ 13349191 |"Mommy! The garbage man is here!" "Well,
http://nadav.harel.org.il |tell him we don't want any!"- Groucho Marx
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il