DSM-G600, DNS-3xx and NSA-220 Hack Forum
Unfortunately no one can be told what fun_plug is - you have to see it for yourself.
You are not logged in.
Announcement
IRC Channel #funplug on irc.freenode.org
#1 2007-11-22 00:46:28
- xoltri
- New member
- Registered: 2007-11-22
- Posts: 2
Security bug?
Sorry for the long winded explanation (cliffs at bottom). I am setting up a DNS-323 in a small office to be used as a backup for each workstation and also as a shared drive. It looks like it will work in the end but man have I had to work around a lot of quirks with this device.
Here is an example of the folder structure that I have set up.
Accounting
-> Acc Common
-> Acc Home
->AccountingUser1
Sales
-> Sales Common
-> Sales Home
->SalesUser1
Etc.
Then, I created groups for the users, such as AccountingGroup and SalesGroup. I gave access for the AccountingGroup to Acc Common and the SalesGroup to Sales Common and so on.
I then created users; SalesUser1 and AccountingUser1; and added them to the appropriate group. I also gave them access to their own private folder under Sales Home and Acc Home respectively.
I created all users with the same password, monkey1. The reason I did this was the users are at a remote site, and are free to change their windows passwords on their local machines at will. If I were to make the password on the DNS-323 the same as their windows account, if they were to change their windows password, their access to the DNS-323 would be broken. I don't want to deal with phone calls when this happens. In hindsight, all users having the same password wasn't very secure, but it was meant to ease administration.
Then, to allow access to the DNS-323 from their computer, I then went to the users machine, went to Manage Network Passwords, and added the password monkey1 when connecting to the DNS-323 with the appropriate account.
This works, with one problem. Since the passwords for AccountingUser1 and SalesUser1 are the same, it will allow SalesUser1 access to the Acc Common share and vice versa. Not exactly secure! I have found that if each user has unique passwords, it will work as intended.
In fact, it doesn't seem to check the username/password combination at all, just the password itself. If I remove the credentials from Manage Network Passwords entirely, and try to access a share on the device, it prompts with a greyed out username of dns-323\Guest. Typing in the correct password for that folder will gain access, even though it is the wrong username.
Just thought I'd throw this out there.
Cliffs:
Users with the same passwords can access each others shares even if they do not have explicit access to said shares in the DNS-323 control panel. IE. the user name does not seem to matter on sub folders of Volume_1. I tried this with Volume_1 itself and this doesn't work, however.
Last edited by xoltri (2007-11-22 00:46:45)
Offline
#2 2007-11-22 10:27:25
- mig
- Member
- From: Seattle, WA
- Registered: 2006-12-21
- Posts: 532
Re: Security bug?
The software, running on the DNS-323, which enables windows OS computers to access the
DNS-323 drives is called SAMBA (samba v2.2.8a for D-Link firmware v1.03). There is configuration
file that determines which samba options are enabled (samba has a LOT of options!).
This file is located at /etc/samba/smb.conf . There are several options for authentication
which are designated by a line "security = " in the smb.conf file. By default the DNS-323 is
configured for SHARE athentication with the following line in smb.conf.
Code:
security = SHARE
With share-level security, the server accepts only a password without an explicit username
from the client. The server expects a password for each share, independent of the username.
This is the behavior you are observing.
You can get more information about samba parameters at http://us3.samba.org/samba/docs/man/Sam … l#id325987
Remember with D-Link firmware v1.03, the samba version is 2.2.8a, so some options at the samba.org
website, like "security=ADS", are not available on the DNS-323. The firmware v1.04beta has
samba v3.x with more options.
Another thing, the smb.conf file is copied from the flash memory to the hard drive at every bootup.
So, any modification you make to the hard drive will be lost on reboot. To over come this, you can
install Fonz's fun_plug scripts http://www.inreto.de/dns323/ and setup a script to stop the default samba,
copy your enhanced configuration file to the /etc/samba directory, and then restart samba.
I'm not sure if anyone has changed the security mode for their DNS-323, I'm running in share mode.
More information is available on the DNS-323 wiki http://dns323.kood.org/howto:bettersamba
Last edited by mig (2007-11-22 10:44:36)
DNS-323 • 2x Seagate Barracuda ES 7200.10 ST3250620NS 250GB SATAII (3.0Gb/s) 7200RPM 16MB • RAID1 • FW1.03 • ext2
Fonz's v0.3 fun_plug http://www.inreto.de/dns323/fun-plug
Offline
#3 2007-11-22 16:58:01
- xoltri
- New member
- Registered: 2007-11-22
- Posts: 2
Re: Security bug?
Mig,
Thanks a lot for the detailed answer.
I have tried using fun_plug. I managed to telnet into the device but got lost from there so I decided I didn't want to break anything. Maybe in the future I'll try to figure this out.
Offline