HP CIFS Server 3.0f Administrator's Guide verison A.02.03
enable HP CIFS Server with SSL. For detailed information on how to enable SSL communication over LDAP,
see Chapter 6 “LDAP Integration Support”.
The HP CIFS Server accepts the highly secure Kerberos tickets for Windows 2000 Active Directory
configurations.
Protecting Sensitive Configuration Files
The default permissions for HP CIFS Server configuration files have been carefully selected to ensure security
while providing appropriate accessibility. However, you need also to protect these configuration files from
unauthorized access. Be especially careful if you decide to locate them in alternative directories.
Table 6-1describes a list of commonly used configuration files and their default locations. There are also
many smb.conf configuration parameters which permit alternate locations for these files and many
parameters that result in additional configuration files or scripts controlling run-time actions not mentioned
here.
Configuration File
Table 10-1 Configuration Files
DescriptionFile
Master configuration file/etc/opt/samba/smb.conf
Log files/var/opt/samba/log.*
Database files containing important internal run-time information/var/opt/samba/locks/*.tdb
Data files containing system name and addresses/var/opt/samba/locks/*.dat
Master daemon process ID files used for starting, stopping, and
clustering scripts
/var/opt/samba/locks/*.pid
Database files containg important internal run-time information/var/opt/samba/private/*.tdb
Data file containing user name and password information/var/opt/samba/private/smbpasswd
Data file containing user name and password information/var/opt/samba/private/passdb.tdb
Data file used to hold LDAP administrator user and password in
plain text
/opt/samba/LDAP/smbldap-tools/smbldap_conf.pm
You need to be aware that the smbpasswd -w command stores the LDAP administrator's user and password
in the /var/opt/samba/private/secrets.tdb file in plain text.
Using %m Name Replacement Macro With Caution
The NetBIOS name of remote clients is substituted into the "%m" macro wherever it occurs in the
smb.confconfiguration file. The use of contrived NetBIOS names may result in Samba using a file path
outside of the intended Samba directories. This can be used to cause Samba to append data to important
system files, which in turn can be used to compromise security on the server.
An immediate fix is to edit your smb.conf configuration file and remove all occurrences of the macro "%m".
Depending on the requirements of each site, other smb.confmacros may be suitable replacements.
The log file option is the most vulnerable to this redefinition problem. The sample configuration file
contains the path,/var/opt/samba/log.%m. Using this default path does not create a vulnerability unless
there happens to exist a subdirectory in /var/opt/samba which starts with the prefix "log.".
If you choose to maintain the use of the "%m" macro in thelog file option, you should use the default
value, /var/opt/samba/log.%m.
Restricting Execute Permission on Stacks
A common method of breaking into a system is by maliciously overflowing buffers on a program's stack,
such as passing unusually long command line arguments to a privileged program that does not expect them.
Malicious unprivileged users can use this technique to trick a privileged program into starting a superuser
shell for them, or to perform similar unauthorized actions.
Configuration File 143