From: "Justin Willmert" <justin@xxxxxxxxxx>
jdow wrote:
GACK! CHOKE! ARGH! Sinple file sharing is enough. But do NOT create
an anybody group with a lot of permissions. Windows is open enough to
cracking as it is. There is no sense opening it up even farther even
if you hate the damn thing. Any hacked Windows machine is a pain in
the sit down part of the anatomy for virtually every ISP and email
manager in the world. Please don't create a risk of adding to that
problem. {O.O}
When I said to set the Everybody group, I of course meant you do that
only with Windows machines inaccessible from the internet, secured
behind a firewall, and used for a small home network where there won't
be more than 10 computers. If the network the Windows computer are on is
in an environment where outside users can get into the network, then
feel free to follow jdow's choking and don't allow the Everybody group
I think I got what you meant. I simply don't treat any OS as being
really secure unless it is not connected to the Internet by even the
most devious route. If someone cracks the firewall and the internal
Windows machine is more open than usual it's toast. It is also a route
to toasting the rest of your system if it has too much smb privilege.
It's fashionable to worry about single failures because multiple
failure cascades quickly become overwhelmingly complex. I am a bit
of a pessimist and figure if there is one failure that does not
exempt me from other failures. In fact in cases of security single
failure can easily lead to a failure cascade if there are not multiple
protections in place.
Your setup is 'probably safe' with a modest value of 'probably'. I
prefer a slightly better value for 'probably.' (So far I have not
gone overboard and turned the Linux machine into a rigidly compartmented
SE Linux prison camp, though. {^_-} Sometimes what I see in the log
files get me tempted that way, though.)
fedora-list mailing list
To unsubscribe: