smb.conf (a little help please)

[jdow]

From: "Justin Willmert" <justin at jdjlab.com>
> jdow wrote:
>> GACK! CHOKE! ARGH! Sinple file sharing is enough. But do NOT create
>> an anybody group with a lot of permissions. Windows is open enough to
>> cracking as it is. There is no sense opening it up even farther even
>> if you hate the damn thing. Any hacked Windows machine is a pain in
>> the sit down part of the anatomy for virtually every ISP and email
>> manager in the world. Please don't create a risk of adding to that
>> problem. {O.O}
> When I said to set the Everybody group, I of course meant you do that 
> only with Windows machines inaccessible from the internet, secured 
> behind a firewall, and used for a small home network where there won't 
> be more than 10 computers. If the network the Windows computer are on is 
> in an environment where outside users can get into the network, then 
> feel free to follow jdow's choking and don't allow the Everybody group 
> permissions.

I think I got what you meant. I simply don't treat any OS as being
really secure unless it is not connected to the Internet by even the
most devious route. If someone cracks the firewall and the internal
Windows machine is more open than usual it's toast. It is also a route
to toasting the rest of your system if it has too much smb privilege.

It's fashionable to worry about single failures because multiple
failure cascades quickly become overwhelmingly complex. I am a bit
of a pessimist and figure if there is one failure that does not
exempt me from other failures. In fact in cases of security single
failure can easily lead to a failure cascade if there are not multiple
protections in place.

Your setup is 'probably safe' with a modest value of 'probably'. I
prefer a slightly better value for 'probably.' (So far I have not
gone overboard and turned the Linux machine into a rigidly compartmented
SE Linux prison camp, though. {^_-} Sometimes what I see in the log
files get me tempted that way, though.)

{o.o}