From: Andrew Bartlett Date: Mon, 9 Aug 2021 21:14:08 +0000 (+1200) Subject: docs: Document all the other ways to send a password to smbclient et al X-Git-Tag: ldb-2.5.0~759 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9b50d2e52e6c85bc3ab991cd8a4b870aff397bda;p=thirdparty%2Fsamba.git docs: Document all the other ways to send a password to smbclient et al This was previously hidden knowlege not easily available to administrators and end users. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14791 Signed-off-by: Andrew Bartlett Reviewed-by: Jeremy Allison --- diff --git a/docs-xml/build/DTD/samba.entities b/docs-xml/build/DTD/samba.entities index 80e051e7684..beff3cb1f6e 100644 --- a/docs-xml/build/DTD/samba.entities +++ b/docs-xml/build/DTD/samba.entities @@ -595,13 +595,16 @@ - If &pct;password is not specified, the user will be + If &pct;PASSWORD is not specified, the user will be prompted. The client will first check the - USER environment variable, then the - LOGNAME variable and if either exists, - the string is uppercased. If these environmental + USER environment variable + (which is also permitted to also contain the + password seperated by a &pct;), then the + LOGNAME variable (which is not + permitted to contain a password) and if either exists, + the value is used. If these environmental variables are not found, the username - GUEST is used. + found in a Kerberos Credentials cache may be used. @@ -616,9 +619,15 @@ - Be cautious about including passwords in scripts. For - security it is better to let the client ask for the - password if needed. + Be cautious about including passwords in scripts + or passing user-supplied values onto the command line. For + security it is better to let the Samba client tool ask for the + password if needed, or obtain the password once with kinit. + + + While Samba will attempt to scrub the password + from the process title (as seen in ps), this + is after startup and so is subject to a race. @@ -659,10 +668,31 @@ Specify the password on the commandline. + Be cautious about including passwords in + scripts or passing user-supplied values onto + the command line. For security it is better to + let the Samba client tool ask for the password + if needed, or obtain the password once with + kinit. + + + If --password is not specified, + the tool will check the PASSWD + environment variable, followed by PASSWD_FD + which is expected to contain an open + file descriptor (FD) number. + + + Finally it will check PASSWD_FILE (containing + a file path to be opened). The file should only + contain the password. Make certain that the + permissions on the file restrict + access from unwanted users! + - Be cautious about including passwords in scripts. For - security it is better to let the client ask for the - password if needed. + While Samba will attempt to scrub the password + from the process title (as seen in ps), this + is after startup and so is subject to a race.