From ff3117b1078c6db7e536ff650c8afa164f7ce43e Mon Sep 17 00:00:00 2001 From: Trevor Gamblin Date: Mon, 23 Dec 2019 19:55:43 -0500 Subject: [PATCH] samba: disable guest access and anonymous queries Source: meta-openembedded MR: 00000 Type: Integration Disposition: Merged from meta-openembedded ChangeID: f29dfed64a56c9d952d18139d74adc1574ff79f4 Description: Guest accounts for Samba are a known potential vulnerability (see https://www.tenable.com/plugins/nessus/26919) where info about the host can be obtained without proper access. The option "map to guest = bad user" allows login attempts with usernames that don't exist to map to the guest account, while the "restrict anonymous" value (implicitly set to 0 before this patch) would allow any queries to obtain user and group list information. Raise the default security level by setting "restrict anonymous" to "1" and "map to guest" to "never" to avoid providing user/group info to unauthenticated users and reject login attempts with an invalid password, respectively. Signed-off-by: Trevor Gamblin Signed-off-by: Khem Raj Signed-off-by: Jeremy Puhlman --- meta-networking/recipes-connectivity/samba/samba/smb.conf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/meta-networking/recipes-connectivity/samba/samba/smb.conf b/meta-networking/recipes-connectivity/samba/samba/smb.conf index a0b87c37353..d6bde417fb4 100644 --- a/meta-networking/recipes-connectivity/samba/samba/smb.conf +++ b/meta-networking/recipes-connectivity/samba/samba/smb.conf @@ -25,6 +25,10 @@ ## Browsing/Identification ### +# Prevent anonymous connections. Overriden if the user sets guest ok = yes +# on any share + restrict anonymous = 1 + # Change this to the workgroup/NT-domain name your Samba server will part of workgroup = WORKGROUP @@ -114,7 +118,7 @@ # This option controls how unsuccessful authentication attempts are mapped # to anonymous connections - map to guest = bad user + map to guest = never ########## Domains ###########