MX Linux Forum

He should have taken Groucho Marx's advise and stuck around longer then leave in a minute and a huff. (He probably isn't aware that SwampRabbit's day job is in the cyber security field.)

I follow the samba discussions when I can because I too use samba in 18.3 in a number of my machines. I appreciate swamprabbits perspective but I also have a use case that I really want to continue using.

My reason for posting this is to try to understand the issue to its logical conclusion. If I read swamprabbit correctly, he's saying virtually any linux still running the older version of samba included in 18.3 or any version of "stretch" (or before?) ought to be considered a major hazard, and the implication is that all those installations are major security risks that should be taken down.

Am i reading that correctly? Should, for example, MX consider posting a warning that all the existing installations of 18.3, probably many or most of which have samba installed, should be removed from service or at least samba deinstalled from them?


EDIT: I take it that this is different from the SAMBACRY issue discussed here: https://www.tecmint.com/fix-sambacry-vu ... -in-linux/ Or is it? I can't tell if the patches that apparently addressed sambacry fixed this issue or not, but I am gathering from reading swamprabbit that we're talking about different problems. Presumably the issue swamprabbit is raising is something that has not been addressed by Debian's ongoing security updates to stretch.

@nathan2423
Very good question, Nathan: I hope it will be answered soon.

nathan2423 wrote: Fri Sep 04, 2020 7:20 am... If I read swamprabbit correctly, he's saying virtually any linux still running the older version of samba included in 18.3 or any version of "stretch" (or before?) ought to be considered a major hazard, and the implication is that all those installations are major security risks that should be taken down.

Am i reading that correctly? Should, for example, MX consider posting a warning that all the existing installations of 18.3, probably many or most of which have samba installed, should be removed from service or at least samba deinstalled from them?

No, I said "No one should ever use NT1 (SMB1) ever again.", not that no one should ever use the version of Samba in MX-18.3. There is nothing wrong with still using MX-18.3 and the version of Samba provided as long as you don't use SMB1. If there was still cause for concern, don't you think Debian (all the derivative distros, including MX) would do something more already?
You don't need to use SMB1 unless you are also using a legacy OS or application that you probably shouldn't be using anyway. So why use SMB1 if you don't have to, maybe because you like to live dangerously?

The issue was that we had two newly registered users pop into a thread and tell someone to enable SMB1 to fix their problem. GuiGuy didn't even say they were using older versions of Windows yet when the first user suggested it. Maybe they were trying to help, but telling someone to use a file sharing protocol which has been depreciated at great lengths is not the right answer, until it is proven as the only answer.

It wasn't proven to be the only answer and GuiGuy even said it didn't fix the problem anyway, two wrongs don't make a right.

GuiGuy wrote: Thu Sep 03, 2020 5:30 pm This argument about the added line seems pointless to me because I tried
adding it and it did not change the samba defect I was talking about.

Bad attempt at an analogy time....

Its no different than someone telling you:
"hey I want to park my car in my garage, but my garage door opener doesn't work anymore"

And a person standing on the street chiming in and saying:
"the answer is to leave your garage door open all the time"

When the better answer is, get a new garage door opener, or fix the one you have.
IF you can't do the above, then you need to open and close it manually.


I don't want to derail GuiGuy's thread, we should be focusing on helping them get Samba working the way they need and want. IF, that means they need NT1 (SMB1) because they have to use Win XP or 98se, then that is their call. But the next step is to limit use and access, which can be done in Linux, Samba many different ways, maybe even at their network too.

But, I'd personally dump the Win XP and 98se for a lot of reasons instead. And, if there is a solution to get file sharing working without using the almost 30 year old SMB1 protocol, than that is a better solution.

I kinda avoid security related discussions outside of my day job for several reasons:
1) I have enough of it for 18hrs a day, 2) security isn't a matter of yes and no - the if, and, but, why, how, when, use, etc, etc are subjectively important, 3) MX Linux is secure enough to not have to worry about it constantly 4) its usually a circular discussion, 5) people like to mince other peoples' words for kicks

JayM keeps dropping the dime on me though.... I just want to maintain packages and take lots of naps.

GuiGuy, can you tell us a bit more about your systems and what you are trying to accomplish?

- Which systems are the ones that need to "share" files to the others?

- Are the MX-18, MX-19, XP, and 98se systems all separate physical systems that are on all the time?

- Are any of these not used or on all the time (i.e. dual booting, etc)?

- Are any of these virtual systems?

- What exactly are you using the XP and 98se systems for?

- Do you connect to the internet with the XP and 98se systems?

SwampRabbit wrote: Fri Sep 04, 2020 3:07 pm GuiGuy, can you tell us a bit more about your systems and what you are trying to accomplish?

- Which systems are the ones that need to "share" files to the others?

Several machines, most of them multiboot windows and Linuxes.

- Are the MX-18, MX-19, XP, and 98se systems all separate physical systems that are on all the time?

They are all separate physical machines.

- Are any of these not used or on all the time (i.e. dual booting, etc)?

None is on all the time (even my main machine is not on all the time).

- Are any of these virtual systems?

No.

- What exactly are you using the XP and 98se systems for?

Old obsolete programs and files.

- Do you connect to the internet with the XP and 98se systems?

No, but they connect to my LAN which connects to internet via DHCP - the dhcp router has its own firewall.

What about the most important question for MX addicts: is it safe to use MX18.3?

Thank you for staying (patiently?) with this thread.

GuiGuy wrote: Fri Sep 04, 2020 5:23 pm What about the most important question for MX addicts: is it safe to use MX18.3?

I already answered this, but the answer is YES it is safe.

Kinda funny this would even be asked, but yeah

I'll try to follow up on the basic Samba stuff later, got other things calling for my attention right now.

quick clarification - the samba browsing in the file managers isn't attached to the samba program itself. you don't even need samba enabled to browser shares.

someone said it above that the problem lies in gvfs-backends. I don't know if that's so, but it wouldn't surprise me and maybe we are missing something that lets that browsing for shares that way work. I've always had to direct address my shares though. I just bookmark them.

Thanks for the clarification, DO.
BTW browsing and connection to W98 and XP both work fine from MX18.3,
so 18.3 is my main daily OS until the defect in 19.2 is cured.

Thanks for the clarification, DO.
BTW browsing and connection to W98 and XP both work fine from MX18.3,
so 18.3 is my main daily OS until the defect in 19.2 is cured.

But isn't it working in 18.3 because you're using SMB1, which is what is being discussed as being leaving you open to the hazards? I apologize if I still don't understand swamprabbit's point, but my understanding so far is that 18.3 works because it defaults to SMB1, and SMB1 is the attack vector for the nasty stuff. I am not gathering that anything that was said in the thread implies that use of samba in 18.3 is safe unless you alter the config file in 18.3 to make the minimum samba version to be SMB2. But if you alter the 18.3 config file to require SMB2 as a minimum, then that's going to prevent you from doing what you want to do on 18.3, just as it prevents 19.2 from doing what you want to do.

Again I apologize if I am reading all this incorrectly. Just trying to understand.