[Samba] some samba security questions

Herb Lewis herb at sgi.com
Mon Mar 10 20:17:35 GMT 2003 

By setting "force user = fred" in your smb.conf file you make all
authenticated users "become" fred for this share. If fred has write 
permission then everone who authenticates properly (members of
staff group) will be able to write.

Marc Balcells wrote:
> 
> Hello, I'm running samba on a redhat linux 7.3 server in order to share
> files to a mixed linux/windows local network without a domain controler,
> all clients are configured to do local authentication and this
> usernames/passwords are the same as on the linux server.
> 
> I'd like to restrict access to some directories inside samba shares for
> specific users, but changing unix file permissions won't do it.
> 
> For example,
> I have a share named "stuff" which is permited to all members of the
> "staff" group, but inside this share I wan't to restrict access to a
> directory called "internal", only one specific user has to be able to
> read/write inside it.
> As I said I've tried to change unix permissions to 700 but still group
> members can read/write inside this directory.
> 
> Once I solve this, I would like to do something like the "veto files"
> directive does. I'd like to restrict access to one user to all
> directories named "internal" in whichever share they're in.
> 
> Another issue is client code-pages. All my clients use spanish
> characters set, but when windows clients create a file with special
> characters, linux clients get (invalid unicode) warnings on this
> filenames, any clue?
> 
> Anyone can help me in this three issues?
> 
> My smb.conf [GLOBAL] looks like:
>         smb passwd file = /etc/samba/smbpasswd
>         hosts deny = ALL
>         passwd program = /usr/bin/passwd %u
>         browseable = no
>         pam password change = yes
>         force directory mode = 770
>         printing = lprng
>         create mode = 770
>         dns proxy = no
>         force create mode = 770
>         encrypt passwords = yes
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         character set = ISO8859-15
>         printcap name = /etc/printcap
>         max log size = 0
>         hosts allow = 192.168.0.0/255.255.255.0 127.0.0.1
>         writable = yes
>         obey pam restrictions = yes
>         passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
>         directory mode = 770
>         security = user
>         unix password sync = Yes
>         hide unreadable = yes
>         server string = XXXXXXXXXXXXXXX
>         workgroup = XXXXXXXXXXXXXXX
>         client code page = cp850
>         log file = /var/log/samba/%m.log
>         netbios name = XXXXXXXXXX
>         load printers = yes
>         os level = 20
> 
> My share looks like:
> [stuff]
>         path = /home/stuff
>         force group = staff
>         valid users = @staff
>         comment = Some Stuff
>         wide links = no
>         revalidate = yes
>         force user = fred
>         hide unreadable = yes
> --

-- 
======================================================================
Herb Lewis                               Silicon Graphics 
Networking Engineer                      1600 Amphitheatre Pkwy MS-510
Strategic Software Organization          Mountain View, CA  94043-1351
herb at sgi.com                             Tel: 650-933-2177
http://www.sgi.com                       Fax: 650-932-2177          
PGP Key: 0x8408D65D
======================================================================

More information about the samba mailing list