Samba/CIFS: WebGUI defaults to guest account 'daemon' when configured guest account goes missing
|Reported by:||kuruption||Owned by:|
If I configure the guest account for CIFS or a CIFS share as a user on my AD domain, and then disable AD through the control panel, when I go to edit the CIFS settings or share settings, the guest user defaults to 'daemon'. This could possibly lead to unexpected access to data on a share.
1) Configure Active Directory and start service
2) Configure CIFS settings
a) Set the "Guest Account" to some user on the domain configured
b) Ensure "Allow Guest Access" is checked.
c) Save Configuration and start service.
3) Stop Active Directory Service
4) Edit CIFS Settings. The drop down for the guest account will default to 'daemon'.
As mentioned, this could have possibly privilege escalation on the NAS box share if someone chose to make the owner of the data the daemon user.
This issue could possibly be replicated when local system users are created, made the guest user, and then later deleted.
It is generally unexpected behavior.
Perhaps the proper method would be to append the "missing user" entry to the list of possible users, but then set disabled="disabled" in the HTML. Not sure this will work or not. Or default to the user 'nobody' since this is the traditional UNIX "guest" user.
Additionally, the gui could notify the user that the user configured is not available anymore.