HP CIFS Server 3.0b Administrator's Guide version A.02.01.01

Securing HP CIFS Server
Security Protection Methods
Chapter 10226
Restricting Execute Permission on Stacks
A common method of breaking into a system is by maliciously
overflowing buffers on a program’s stack, such as passing unusually long
command line arguments to a privileged program that does not expect
them. Malicious unprivileged users can use this technique to trick a
privileged program into starting a superuser shell for them, or to
perform similar unauthorized actions.
One effective way to reduce the risk from this type of attack is to remove
the execute permission from the program’s stack pages. This improves
system security without impacting performance and has no negative
effects on the majority of legitimate applications.
The HP CIFS Server does not require execution on the stack. While the
HP CIFS Server attempts to prevent buffer overflow possibilities, you
can set the HP-UX kernel tunable parameter, executable_stack , to
disallow stack execution to provide a layer of protection from malicious
attacks. For details, refer to man pages for chatr.
Restricting User Access
In addtion to authentication services, the HP CIFS Server provides the
configuration parameters, valid users and invalid users, in the
smb.conf file, which you can use to further restrict access to your CIFS
server. You can configure the admin users parameter to provide
administration capabilities only to the users listed with this parameter,
to restrict its use.
For example, you can configure the valid users option in the
smb.conf file as follows:
[global]
valid users = @smbusers, jack
This restricts all server access to either the user, jack, and to members
of the system group, smbusers.