Skip to content

Commit

Permalink
samba: disable guest access and anonymous queries
Browse files Browse the repository at this point in the history
Source: meta-openembedded
MR: 00000
Type: Integration
Disposition: Merged from meta-openembedded
ChangeID: f29dfed
Description:

Guest accounts for Samba are a known potential vulnerability
(see https://www.tenable.com/plugins/nessus/26919) where info
about the host can be obtained without proper access. The option
"map to guest = bad user" allows login attempts with usernames
that don't exist to map to the guest account, while the
"restrict anonymous" value (implicitly set to 0 before this patch)
would allow any queries to obtain user and group list information.

Raise the default security level by setting "restrict anonymous"
to "1" and "map to guest" to "never" to avoid providing user/group
info to unauthenticated users and reject login attempts with an
invalid password, respectively.

Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
  • Loading branch information
Trevor Gamblin authored and jpuhlman committed Dec 31, 2019
1 parent 3d3676e commit ff3117b
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion meta-networking/recipes-connectivity/samba/samba/smb.conf
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,10 @@

## Browsing/Identification ###

# Prevent anonymous connections. Overriden if the user sets guest ok = yes
# on any share
restrict anonymous = 1

# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = WORKGROUP

Expand Down Expand Up @@ -114,7 +118,7 @@

# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
map to guest = bad user
map to guest = never

########## Domains ###########

Expand Down

0 comments on commit ff3117b

Please sign in to comment.