HP CIFS Server 3.0a Administrator's Guide version A.02.01

Securing HP CIFS Server
Security Protection Methods
Chapter 12 229
You need to be aware that the smbpasswd -w command stores the LDAP
administrator’s user and password in the
/var/opt/samba/private/secrets.tdb file in plain text.
Restricting Execute Permission on Stacks
A common method of breaking into a system is by maliciously
overflowing buffers on a program’s stack, such as passing unusually long
command line arguments to a privileged program that does not expect
them. Malicious unprivileged users can use this technique to trick a
privileged program into starting a superuser shell for them, or to
perform similar unauthorized actions.
One effective way to reduce the risk from this type of attack is to remove
the execute permission from the program’s stack pages. This improves
system security without impacting performance and has no negative
effects on the majority of legitimate applications.
The HP CIFS Server does not require execution on the stack. While the
HP CIFS Server attempts to prevent buffer overflow possibilities, you
can set the HP-UX kernel tunable parameter, executable_stack , to
disallow stack execution to provide a layer of protection from malicious
attacks. For details, refer to man pages for chatr.
Restricting User Access
In addtion to authentication services, the HP CIFS Server provides the
configuration parameters, valid users and invalid users, in the
smb.conf file, which you can use to further restrict access to your CIFS
/var/opt/samba/private/smbpasswd Data file containing user name and
password information
/var/opt/samba/private/passdb.tdb Data file containing user name and
password information
/opt/samba/LDAP/smbldap-tools/smb
ldap_conf.pm
Data file used to hold LDAP
administrator user and password in
plain text
Table 12-1 Configuration Files (Continued) (Continued)
File Description