Comment 74 for bug 32067

On Sun, Feb 03, 2008 at 11:59:19PM -0000, Ralf Nieuwenhuijsen wrote:
> For years now, there is broken GUI functionality in the desktop. No
> user understands why it is broken.

To those users: Rather than assuming we're idiots (we're not), or that
we don't care (we do), I suggest you ask.

> If you would ask the user 'what do you expect?' .. they would say: 'i
> chose to share folder X, but it does not work'

Right. Most care about functionality. Not technology.

> What did they _expect_? They expected it to work _without_ requiring
> a password.

That might be what *you* expect. I doubt you've asked all of our
millions of users whether they think you should be asked for a password
when connecting to a share. I certainly haven't. Hence, I try to avoid
making such specific assumptions about their wishes. I recommend a
similar approach.

> During all those years people have complained about this. We are told
> it is insecure. None of _us_ understand _why_.
>
> You, being the expert, obviously does understand it. But could please
> communicate why the behavior a desktop-user expects is bad?

It's not like it's a secret or anything. It's been discussed in many
places many times before. The short version:

If you're using security=user and connect to Samba, you'll be asked for
a username and password. If succesfully authenticated, the Samba process
on the server will switch to running as your user on the system. This
ensures that the file system restrictions the Unix model imposes is
properly respected. This is a very good thing.

If you're using security=share, the client doesn't (or at least: is not
required to) send a username when it connects, so to switch to a
different user (to avoid running as root), Samba has to guess which user
you are. Unless you've taken explicity measures to avoid it (and based
on the type of users we're talking about, I'm guessing most will not
have done so), the password sent to the server will checked against each
and every user in turn until one of the is succesfully authenticated.
That's really the crux of the problem. This means that a malicious user
doesn't even have to bother guessing user names if we wants to crack
your Samba server. He can just try a short list of common passwords, and
Samba will check each password against each and every user on the system
until it succesfully authenticates. Again, considering the type of users
we have to take into consideration here, I'm not going to make very
strong assumptions of the quality of their passwords...

Even if you disregard malicious users, you also have a problem if
multiple people on the system have the same password (after all, they
are likely to have the same family name, street name, etc.). You might
all be acting in good faith, but because of Samba's behaviour in this
area, you could end up accessing someone else's files when you were
trying to access your own.

In summary, the only situation where there is *no* risk involved in
this, is if you're on a separate network (not connected to the internet
at all), and there's only a single user on the network to worry about.

I have no statistics to back this up, but I'm quite confident this is
not a very common scenario for our users.

> We can all imagine this behavior would be the wrong default for a
> server. But I didn't install server. I installed a desktop.

Your machine being used as a desktop is no excuse for making it insecure
by default.

> I didn't share all my files, the GUI already had me pick which
> folder(s) to share. I choose things like my music and my photo's.

And wouldn't it be lovely if the MPAA browsed through your music and
your private photos landed on the internet somewhere?

--
Soren Hansen
Virtualisation specialist
Ubuntu Server Team
http://www.ubuntu.com/