[Pkg-samba-maint] Merging more Ubuntu changes?

Steve Langasek vorlon at debian.org
Fri Dec 29 01:26:01 UTC 2006 

On Tue, Dec 19, 2006 at 07:59:04AM +0100, Christian Perrier wrote:
> >      * debian/smb.conf:
> >        - Do not show the version number by default

> I tend to agree with that one. Seeing all these "(samba x.y.z)"
> servers on my network is annying..:-)

I think this might have been done originally in response to upstream's
concerns about our Samba builds not having a distinguishing version?
Anyway, this is also a potential information leak to an attacker, so I don't
object to the change.

> >        - Comment out the default [homes] shares and add more verbose comments to
> >          explain what they do and how they work (closes: launchpad.net/27608)

> ie not sharing homes by default....Any comments from other team members?

I think homes should be shared by default.

The launchpad bug report is an entertaining read. :)

> >        - Add a "valid users = %S" stanza to the commented-out [homes] section,
> >          to show users how to restrict access to \\server\username to only
> >          username.

> Sounds fair.

I wouldn't want to use such an example without consulting upstream first
about its appropriateness.  It's been a long time since I've bothered trying
to use 'valid users = %foo' to secure home shares.

> >        - Change the (commented-out) "printer admin" example to use "@lpadmin"
> >          instead of "@ntadmin", since the lpadmin group is used for spool admin.

> Sounds fair

This has security implications.  It's not obvious that the set of admins for
the local Unix printer spools is congruent to the set of admins for the NT
printer drivers; unless someone can show why this should be the case, I
object to such a change.

> >      * debian/panic-action:
> >        - Alter the panic-action script to encourage users to report their
> >          bugs in Ubuntu packages to Ubuntu, rather than reporting to Debian.
> >          Modify text to more closely match the Debian script

> We could maybe make part of this script more easily configurable for
> CDD by using variable parts that could be setup in /etc/default/samba

No objections in principle.

> >      * debian/samba-common.templates:
> >        - Set default workgroup to MSHOME

> Well, the current "DEBIAN_FANS" we have sounds a bit childish to
> me. However, I'm unsure abnout the choice of "MSHOME" by Ubuntu...

I wonder if we still have the debconf bug that prevents you from actually
changing this workgroup name at install time? :/

> >      * debian/control:
> >        - remove typehandling
> >        - add update-inetd to Depends

> Should be investigated. 

Yes, samba currently depends on netbase for use of update-inetd.  Now that
there is an update-inetd package, we should transition, but no hurry.

> >      * debian/samba-common.config:
> >        - do not change priority to HIGH if dhclient3 is installed

> Interesting change. To be discussed

Given the default is 'no', as it must be for policy reasons, I think we
would still want this as a high-prio question, personally.

> >        - do not install mount.cifs and umount.cifs as suid

> Well, that would be a regression for our users. Should we ask a
> debconf question about this ?

Ugh, no. :)

I'm averse to making any changes to the mount helpers without a very, very
thorough examination and discussion with upstream.  But I'm even more averse
to adding debconf questions for things like permissions. :)

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon at debian.org                                   http://www.debian.org/

More information about the Pkg-samba-maint mailing list