[Samba] security

Alexey Lobanov aal at evidence-cpr.com
Mon Oct 13 21:24:26 GMT 2003 

Hi Erik.

On 13 Oct 2003 at 16:52, Erik Soderquist wrote:

Subject:        	RE: [Samba] security
Date sent:      	Mon, 13 Oct 2003 16:52:32 -0400
From:           	"Erik Soderquist" <esoderquist at mcstamp.com>
To:             	"Alexey Lobanov" <aal at evidence-cpr.com>,
	"Samba List" <samba at lists.samba.org>

> Would that I could, but I know nothing of programming. :(

It is not programming. I was a programmer 15 years ago; now I write about 100 
lines of program code per year, mostly 2-line scripts :-)

> very little of kernel operations either. :(

Not kernel operations but kernel capabilities and configuration options. It is 
a very big difference. And it worth to know for a system administrator.

I really suspect (but suspect only) that Red Hat has all this stuff bundled. 
ACL Kernel + ACL utilities + ACL Samba. Debian 3 (my choice) has utilities and 
libs only, kernel and Samba must be compiled from source.

Note: any ext2 partition is able to store those "Extended Attributes" (which 
are the room for ACL storage), you need not to do anything special with 
"mke2fs" format utility.

> That being said, I thank all for their help, and will look into making this work
> on the linux box. Bye bye SCO.

Good luck! Udachi!

Alexey

> -----Original Message-----
> From: Alexey Lobanov [mailto:aal at evidence-cpr.com] 
> Sent: Monday, October 13, 2003 16:12
> To: Erik Soderquist
> Cc: samba at lists.samba.org
> Subject: RE: [Samba] security
> 
> 
> Hi Erik.
> 
> On 13 Oct 2003 at 15:46, Erik Soderquist wrote:
> 
> Subject:        	RE: [Samba] security
> Date sent:      	Mon, 13 Oct 2003 15:46:49 -0400
> From:           	"Erik Soderquist" <esoderquist at mcstamp.com>
> To:             	<samba at lists.samba.org>
> 
> > Reason I ask, I have SCO 5.0.? With samba installed and it looks like ACL's
> > are not an option for this machine. I'm looking at replacing both the SCO box
> > and some win2k servers with linux (redhat 9). The main file server isn't an
> > option without the ACL's though. What versions of samba have the ACL support?
> 
> ACL is present in Samba long ago. So, the recommended version for production
> system is the most stable one, 2.2.8a.
> 
> I know nothing about ACL support in pre-compiled Red Hat kernels and Samba. ACL
> utilities (setfacl, getfacl) and shared libs (libattr, libacl) are present.
> Replaced e2fsck? Don't know.
> 
> As to me, I prefer to compile the few mission-critical pieces of software 
> (Linux kernel, Samba, mailserver) from source, just to know the _exact_ set of
> active capabilities.
> 
> To compile Samba with ACL, you need also to install "acl-development" package
> containing libacl&libattr headers; it's present in Red Hat. Without it the "--
> with-acl" compile option will provide you some control on Unix 9-bit set of
> rights from Windows side, nothing more.
> 
> Illustrations:
> 
> ~$ ldd /usr/local/samba/bin/smbd
>         libacl.so.1 => /lib/libacl.so.1 (0x4001b000)
>         libattr.so.1 => /lib/libattr.so.1 (0x40021000)
>         libdl.so.2 => /lib/libdl.so.2 (0x4014a000)
>         libnsl.so.1 => /lib/libnsl.so.1 (0x4014d000)
>         libcrypt.so.1 => /lib/libcrypt.so.1 (0x40161000)
>         libpopt.so.0 => /lib/libpopt.so.0 (0x4018e000)
>         libldap.so.2 => /usr/lib/libldap.so.2 (0x40194000)
>         liblber.so.2 => /usr/lib/liblber.so.2 (0x401b9000)
>         libc.so.6 => /lib/libc.so.6 (0x401c4000)
>         libresolv.so.2 => /lib/libresolv.so.2 (0x402e1000)
>         libsasl.so.7 => /usr/lib/libsasl.so.7 (0x402f1000)
>         /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
>         libdb2.so.2 => /lib/libdb2.so.2 (0x402fc000)
>         libpam.so.0 => /lib/libpam.so.0 (0x4033d000)
> 
> (note libacl & libattr)
> 
> :~$ mount
> .....
> /dev/md0 on /home type ext2 (rw,nosuid,nodev,usrquota,acl)
> 
> ~$ uname -a
> Linux woody 2.4.21 #2 Thu Aug 21 17:20:40 MSD 2003 i686 unknown
> 
> Alexey
> 
> > -----Original Message-----
> > From: Alexey Lobanov [mailto:aal at evidence-cpr.com] 
> > Sent: Monday, October 13, 2003 15:33
> > To: Erik Soderquist
> > Cc: samba at lists.samba.org
> > Subject: RE: [Samba] security
> > 
> > 
> > Hi Erik.
> > 
> > On 13 Oct 2003 at 15:23, Erik Soderquist wrote:
> > 
> > Subject:        	RE: [Samba] security
> > Date sent:      	Mon, 13 Oct 2003 15:23:27 -0400
> > From:           	"Erik Soderquist" <esoderquist at mcstamp.com>
> > To:             	<samba at lists.samba.org>
> > 
> > > Can these be adjusted from a windows workstation, or must they be adjusted
> > > from the *nix machine?
> > 
> > Surely, WinNT(4,5) "Security" tab works fine. Win9x assumed to be dead.
> > 
> > Alexey
> > 
> > 
> > > 
> > > -----Original Message-----
> > > From: Gйmes Gйza [mailto:geza at kzsdabas.sulinet.hu] 
> > > Sent: Monday, October 13, 2003 14:18
> > > To: Erik Soderquist
> > > Cc: samba at lists.samba.org
> > > Subject: Re: [Samba] security
> > > 
> > > 
> > > WARNING: Unsanitized content follows.
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > > 
> > > Erik Soderquist нrta:
> > > | In windows, I can set user1 to read only, user2 to full control, user3 |
> > > to write only, user 4 to modify, user 5 to delete only, user 6 to no |
> > > direct access but can change permissions, etc. can I, how can I set this |
> > > kind of granular permission with samba on linux?
> > > 
> > > You should use samba with acl support, on top of an acl enabled
> > > filesystem, e.g.:
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  http://lists.samba.org/mailman/listinfo/samba
> > 
> 
> 
>

More information about the samba mailing list