[Samba] security
Alexey Lobanov
aal at evidence-cpr.com
Mon Oct 13 21:24:26 GMT 2003
Hi Erik.
On 13 Oct 2003 at 16:52, Erik Soderquist wrote:
Subject: RE: [Samba] security
Date sent: Mon, 13 Oct 2003 16:52:32 -0400
From: "Erik Soderquist" <esoderquist at mcstamp.com>
To: "Alexey Lobanov" <aal at evidence-cpr.com>,
"Samba List" <samba at lists.samba.org>
> Would that I could, but I know nothing of programming. :(
It is not programming. I was a programmer 15 years ago; now I write about 100
lines of program code per year, mostly 2-line scripts :-)
> very little of kernel operations either. :(
Not kernel operations but kernel capabilities and configuration options. It is
a very big difference. And it worth to know for a system administrator.
I really suspect (but suspect only) that Red Hat has all this stuff bundled.
ACL Kernel + ACL utilities + ACL Samba. Debian 3 (my choice) has utilities and
libs only, kernel and Samba must be compiled from source.
Note: any ext2 partition is able to store those "Extended Attributes" (which
are the room for ACL storage), you need not to do anything special with
"mke2fs" format utility.
> That being said, I thank all for their help, and will look into making this work
> on the linux box. Bye bye SCO.
Good luck! Udachi!
Alexey
> -----Original Message-----
> From: Alexey Lobanov [mailto:aal at evidence-cpr.com]
> Sent: Monday, October 13, 2003 16:12
> To: Erik Soderquist
> Cc: samba at lists.samba.org
> Subject: RE: [Samba] security
>
>
> Hi Erik.
>
> On 13 Oct 2003 at 15:46, Erik Soderquist wrote:
>
> Subject: RE: [Samba] security
> Date sent: Mon, 13 Oct 2003 15:46:49 -0400
> From: "Erik Soderquist" <esoderquist at mcstamp.com>
> To: <samba at lists.samba.org>
>
> > Reason I ask, I have SCO 5.0.? With samba installed and it looks like ACL's
> > are not an option for this machine. I'm looking at replacing both the SCO box
> > and some win2k servers with linux (redhat 9). The main file server isn't an
> > option without the ACL's though. What versions of samba have the ACL support?
>
> ACL is present in Samba long ago. So, the recommended version for production
> system is the most stable one, 2.2.8a.
>
> I know nothing about ACL support in pre-compiled Red Hat kernels and Samba. ACL
> utilities (setfacl, getfacl) and shared libs (libattr, libacl) are present.
> Replaced e2fsck? Don't know.
>
> As to me, I prefer to compile the few mission-critical pieces of software
> (Linux kernel, Samba, mailserver) from source, just to know the _exact_ set of
> active capabilities.
>
> To compile Samba with ACL, you need also to install "acl-development" package
> containing libacl&libattr headers; it's present in Red Hat. Without it the "--
> with-acl" compile option will provide you some control on Unix 9-bit set of
> rights from Windows side, nothing more.
>
> Illustrations:
>
> ~$ ldd /usr/local/samba/bin/smbd
> libacl.so.1 => /lib/libacl.so.1 (0x4001b000)
> libattr.so.1 => /lib/libattr.so.1 (0x40021000)
> libdl.so.2 => /lib/libdl.so.2 (0x4014a000)
> libnsl.so.1 => /lib/libnsl.so.1 (0x4014d000)
> libcrypt.so.1 => /lib/libcrypt.so.1 (0x40161000)
> libpopt.so.0 => /lib/libpopt.so.0 (0x4018e000)
> libldap.so.2 => /usr/lib/libldap.so.2 (0x40194000)
> liblber.so.2 => /usr/lib/liblber.so.2 (0x401b9000)
> libc.so.6 => /lib/libc.so.6 (0x401c4000)
> libresolv.so.2 => /lib/libresolv.so.2 (0x402e1000)
> libsasl.so.7 => /usr/lib/libsasl.so.7 (0x402f1000)
> /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
> libdb2.so.2 => /lib/libdb2.so.2 (0x402fc000)
> libpam.so.0 => /lib/libpam.so.0 (0x4033d000)
>
> (note libacl & libattr)
>
> :~$ mount
> .....
> /dev/md0 on /home type ext2 (rw,nosuid,nodev,usrquota,acl)
>
> ~$ uname -a
> Linux woody 2.4.21 #2 Thu Aug 21 17:20:40 MSD 2003 i686 unknown
>
> Alexey
>
> > -----Original Message-----
> > From: Alexey Lobanov [mailto:aal at evidence-cpr.com]
> > Sent: Monday, October 13, 2003 15:33
> > To: Erik Soderquist
> > Cc: samba at lists.samba.org
> > Subject: RE: [Samba] security
> >
> >
> > Hi Erik.
> >
> > On 13 Oct 2003 at 15:23, Erik Soderquist wrote:
> >
> > Subject: RE: [Samba] security
> > Date sent: Mon, 13 Oct 2003 15:23:27 -0400
> > From: "Erik Soderquist" <esoderquist at mcstamp.com>
> > To: <samba at lists.samba.org>
> >
> > > Can these be adjusted from a windows workstation, or must they be adjusted
> > > from the *nix machine?
> >
> > Surely, WinNT(4,5) "Security" tab works fine. Win9x assumed to be dead.
> >
> > Alexey
> >
> >
> > >
> > > -----Original Message-----
> > > From: Gйmes Gйza [mailto:geza at kzsdabas.sulinet.hu]
> > > Sent: Monday, October 13, 2003 14:18
> > > To: Erik Soderquist
> > > Cc: samba at lists.samba.org
> > > Subject: Re: [Samba] security
> > >
> > >
> > > WARNING: Unsanitized content follows.
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > Erik Soderquist нrta:
> > > | In windows, I can set user1 to read only, user2 to full control, user3 |
> > > to write only, user 4 to modify, user 5 to delete only, user 6 to no |
> > > direct access but can change permissions, etc. can I, how can I set this |
> > > kind of granular permission with samba on linux?
> > >
> > > You should use samba with acl support, on top of an acl enabled
> > > filesystem, e.g.:
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: http://lists.samba.org/mailman/listinfo/samba
> >
>
>
>
More information about the samba
mailing list