Tuesday 7 January 2014

Re: Include samba and libpam-smbpass by default in Ubuntu

On Sun, Jan 05, 2014 at 10:50:35PM -0200, pabloalmeidaff9@gmail.com wrote:
> We really don't have a way to have the packages installed but the service
> stopped/unavailable until the user needs it?

It could be done, but that's not the way Debian packages are put together by
default. It would be a rather large amount of work, and I doubt that
filesharing on the local network is seen as an important enough use case
today to justify that effort.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org


> 2014/1/5 Steve Langasek <steve.langasek@ubuntu.com>

> > On Sun, Jan 05, 2014 at 12:47:47PM -0500, Stéphane Graber wrote:
> > > Ubuntu has a no open port by default policy at least for the Desktop
> > > installation. If you look at a default Ubuntu Desktop system the only
> > > exceptions you should see to that rule are the DHCP client (which needs
> > > to listen on udp/68) and avahi-daemon (which needs to listen on
> > > udp/5353).
> >
> > > So having samba installed and running by default isn't an option and
> > > would be a potential security risk for millions of systems which do not
> > > need the service at all anyway.
> >
> > > I think having nautilus prompt the user for those packages to be
> > > installed is perfectly reasonable, having to restart the session however
> > > seems a bit odd to me and shouldn't be a requirement.
> >
> > The requirement follows from the fact that CIFS shares require a different
> > password hash to be available on the server system for authentication than
> > the one used by default in /etc/shadow, and while the permissions on the
> > file managed by libpam-smbpasswd are secure, the NTLM hashes are strictly
> > weaker than the hashes used for /etc/shadow, which exposes users to greater
> > risk of password cracking if the database is stolen. So since these hashes
> > are not generated until the user opts in to CIFS sharing through nautilus
> > (changing their PAM config), the session logout/login is unavoidable.
> >
> > --
> > Steve Langasek Give me a lever long enough and a Free OS
> > Debian Developer to set it on, and I can move the world.
> > Ubuntu Developer http://www.debian.org/
> > slangasek@ubuntu.com vorlon@debian.org
> >
>
>
>
> --
> Pablo Almeida
> http://www.google.com/profiles/pabloalmeidaff9