SMB Shares to XP - Total Access to Home Directory??

Discussion in 'macOS' started by abnospam, Apr 30, 2010.

  1. abnospam macrumors regular

    abnospam

    Joined:
    Jul 17, 2008
    #1
    Hi Everyone - new OSX user here, so pardon my ignorance.

    I want to setup a public share to my public folder to window's xp users. When I do this, it seems to share the public folder AND the entire home directory for read/write. It doesn't seem to matter that I haven't shared that folder. This seems like a HUGE security hole to me. What am I doing wrong?
     
  2. calderone macrumors 68040

    calderone

    Joined:
    Aug 28, 2009
    Location:
    Seattle
    #2
    Are you sure you can read and write to the entire home folder?

    In order to share out the Public folder, the home folder must have read permissions, which means you can see everything in the home folder at the root level, but you should not be able to dig into the other sub-folders.
     
  3. abnospam thread starter macrumors regular

    abnospam

    Joined:
    Jul 17, 2008
    #3
    Yes, I have TOTAL access to the home folder. Its frightening.
     
  4. abnospam thread starter macrumors regular

    abnospam

    Joined:
    Jul 17, 2008
    #4
    let me add - I have SMB sharing on only and my main account is checked. Only the public folder is listed on shared folders.
     
  5. jbuk macrumors regular

    Joined:
    Jun 8, 2009
    #5
    Are you using your Mac Username/Password to access the share?

    Try logging onto the share as a guest.
     
  6. abnospam thread starter macrumors regular

    abnospam

    Joined:
    Jul 17, 2008
    #6
    I am just typing //computername in my windows explorer and I see a share with my user name which is my home directory. I am not connecting under any credentials.
     
  7. Ice Cream Man macrumors member

    Ice Cream Man

    Joined:
    Jan 1, 2003
    Location:
    Earth
    #7
    You might try a Windows specific forum then. As OSX doesn't control what Windows allows acces to.
     
  8. grapii macrumors member

    Joined:
    Oct 27, 2009
    #8
    urmmm, this has nothing to do with Windows. Windows will just see whats available...being broadcast.

    This is quite dangerous if the OP is right, simply sharing the public folder is giving full access to the root folder. May not be a problem mac to mac, but what about mac to ???
     
  9. Ice Cream Man macrumors member

    Ice Cream Man

    Joined:
    Jan 1, 2003
    Location:
    Earth
    #9
    Oh, i guess i read that backwards, i thought he was saying Windows to OSX. There must be something enabling that level of access. It doesn't just happen by default. Have you ever, in your life, authenticated OSX from windows with a user login?
     
  10. abnospam thread starter macrumors regular

    abnospam

    Joined:
    Jul 17, 2008
    #10
    ALSO - I found the native Samba command to see what is shared and IN FACT, the user home directory is shared! Its the ones that are checked in the settings. Unfortunately if I don't check the account in settings, nothing gets shared. I think this is a BUG - anyone else confirm this?

    p.s. 10.6.3 shipped with my new MBP
     
  11. abnospam thread starter macrumors regular

    abnospam

    Joined:
    Jul 17, 2008
    #11
    This is the output I see in Samba

    Code:
    my-mbp:tmp jdoe$ smbclient -L \\127.0.0.1 
    Password: 
    Domain=[MY-MBP] OS=[Unix] Server=[Samba 3.0.28a-apple]
    
    	Sharename       Type      Comment
    	---------       ----      -------
    	IPC$            IPC       IPC Service (MY-MBP)
    	John Doe's Public Folder Disk      John Doe's Public Folder
    	jdoe          Disk      User Home Directories
    Domain=[MY-MBP] OS=[Unix] Server=[Samba 3.0.28a-apple]
    
    	Server               Comment
    	---------            -------
    
    	Workgroup            Master
    	---------            -------
    	WORKGROUP            
    
     
  12. calderone macrumors 68040

    calderone

    Joined:
    Aug 28, 2009
    Location:
    Seattle
    #12
    Do the accounts have the same username and password? Between Windows and OS X that is.
     
  13. abnospam thread starter macrumors regular

    abnospam

    Joined:
    Jul 17, 2008
    #13
    good question - same username and I have tried with the same password and different passwords.

    Let me ask....does it matter? Samba still lists a share that I never explicitly shared. That could be a massive security hole.
     
  14. calderone macrumors 68040

    calderone

    Joined:
    Aug 28, 2009
    Location:
    Seattle
    #14
    It does, because by default if file sharing is turned on, a user is allowed to connect to their home folder.

    In other words, if I simply turn on file sharing and SMB, when I go to connect to my Mac and authenticate as myself, I am presented with all the explicitly defined sharing options including my own home folder. (Any and volumes I own).

    So OS X isn't doing anything abnormal persay, but your entire home folder is supposed to be shared out to only you. So it becomes a question of which OS is at fault.
     
  15. balamw Moderator

    balamw

    Staff Member

    Joined:
    Aug 16, 2005
    Location:
    New England
    #15
    AFAIK this is normal behavior for Windows past a certain point. if you share ANYTHING that is in your profile, it all gets shared.

    I remember running into this on my Vista box, when I had one.

    EDIT: You still need for both permission to access the share, and permission for the logged in account to access the files in the file system, so it's really not so much of a hole.

    B
     
  16. calderone macrumors 68040

    calderone

    Joined:
    Aug 28, 2009
    Location:
    Seattle
    #16
    I have already addressed this in the first reply. The OP says they have full (or total as the OP says) access to their home folder. Which I assume to means all subdirectories and files.
     
  17. balamw Moderator

    balamw

    Staff Member

    Joined:
    Aug 16, 2005
    Location:
    New England
    #17
    EDIT: I did completely misread this. Thought the share was on the Windows box. Interesting to see that Mac OS is doing something similar to Windows. Ignore comments below.

    So, it could be that the file system permissions are FUBAR, and allow any account on the XP box to read/write those folders locally. In which case those would be accessible remotely even if you are not logged in as the owner of the folder.

    Or, more likely, the OP is logged on as the user who actually owns said files. (As you have suspected).

    The clarification I sought to add was that it's not just public that triggers this. Any shares established within user profiles create the additional share.

    IIRC if you keep all your shared folders outside \Users or \Documents and Settings\ this share will not get turned on by default.

    B
     
  18. calderone macrumors 68040

    calderone

    Joined:
    Aug 28, 2009
    Location:
    Seattle
    #18
    It could be a combination of the guest account and "read & write" for everyone on the sub folders in the OP's home directory.

    It is tough to make a call without being at the machine.
     
  19. abnospam thread starter macrumors regular

    abnospam

    Joined:
    Jul 17, 2008
    #19
    WOW - so I tried from my other XP machine where my login name is different. And I only see my public folder!

    So, I went back to my other laptop with the same userid (but different password) and sharing breaks (probably because it tries to auto-connect with that id/pwd, but fails. I then get a prompt and type in my mac id/pwd and now I am back in with total home directory access.

    Ok, I feel better now, but this is borderline scary. Sharing something "automatically" without explicit user config is not a good practice - I don't care how user friendly it is Apple.
     
  20. balamw Moderator

    balamw

    Staff Member

    Joined:
    Aug 16, 2005
    Location:
    New England
    #20
    As I pointed out this is also what Windows does.

    B
     
  21. abnospam thread starter macrumors regular

    abnospam

    Joined:
    Jul 17, 2008
    #21
    what do you mean this is what windows does?

    When you connect from a mac to windows with the same userid/pwd, it opens up all of the C drive to FULL access?
     
  22. calderone macrumors 68040

    calderone

    Joined:
    Aug 28, 2009
    Location:
    Seattle
    #22
    There are both technical and simplicity reasons for doing this.

    The technical is that the home folder must be shared at some level in order for someone to have access to its internal contents. This is mainly handled through permissions..

    From a simplicity standpoint, what is the most likely reason a user would be connecting to a machine which contained their home directory? To view them home directory of course. This is why it is made available to you and only you.

    If I authenticate as a different local user, I will be presented with that local user's home directory as a possible mount point and not mine.

    You are authenticationing as yourself, which is why you are given access to your home folder. It is a fine practice as long as security is ensured.
     
  23. balamw Moderator

    balamw

    Staff Member

    Joined:
    Aug 16, 2005
    Location:
    New England
    #23
    No. It creates a \\COMPUTERNAME\USERS share whether you like it or not once you share something within in a profile. If you have the username and password for any user that has a profile you can access their files, even though they didn't share anything.

    Note also that if any accounts that have admin rights on your XP boxes have vulnerable usernames and passwords, the whole C drive is already shared as a "hidden" administrative share. http://en.wikipedia.org/wiki/Administrative_share (Yes it's better in Vista and 7, but XP is still affected).

    EDIT: This is what I'm talking about. http://www.vistax64.com/vista-netwo...folder-shared-after-creating-first-share.html

    B
     
  24. abnospam thread starter macrumors regular

    abnospam

    Joined:
    Jul 17, 2008
    #24
    You mean the C$ trick. Well, yes, that is true, but I am more OK with that when its windows-to-windows based on kerberos or some other secure "single signon" module.

    When another OS is connecting I do not want it replaying passwords. That's the equivalent to re-posting to a web form - its bound to compromise security somewhere.
     

Share This Page