[Samba] Security Hell
Darren Martz
darren at shelbrook.com
Wed Aug 4 20:16:11 GMT 2004
I have been trying to setup two samba servers on Fedora Core 2 for the past 30 hours and am about to jump out a window.
I'm simply trying to create a few shares that multiple WinXP clients can have readonly access to and a select few have write privilages. Also, a few shares that are are private for a select few users with write privilages. In all cases, anybody should be able to browse the machine and access most shares.
I have read the smb.conf(5) manual many times... almost memorized the entire thing ;)
Valid users in the smbpasswd file include nobody and a few others.
Rather than explain my setup... here is a shorter version of my smb.conf file.
[global]
log file = /var/log/samba/%m.log
#log level = 3 passdb:5 auth:10 winbind:2
workgroup = MYDOMAIN
server string =
map to guest = Bad User
username map = /etc/samba/user.map
dead time = 10
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = no
netbios name = MyServer
invalid users = root
wide links = no
delete readonly = yes
os level = 20
security = user
guest account = nobody
browseable = yes
read only = no
default = software
[software]
# public has read access and dmartz has write access
comment = "Software Archives"
path = /home/software
username = nobody
valid users = dmartz
read list = nobody
write list = dmartz
force user = dmartz
force group = +users
force create mode = 0775
force directory mode = 0775
guest ok = yes
read only = no
[shivaun]
# private share, shivaun & dmartz have write access
comment = "Shivaun Martz Files"
path = /home/shivaun
valid users = dmartz, shivaun
write list = dmartz, shivaun
force user = shivaun
force group = +users
force create mode = 0775
force directory mode = 0775
guest ok = no
[darren]
comment = "Darren Martz Files"
path = /home/dmartz
valid users = dmartz
write list = dmartz
force user = dmartz
force group = +users
force create mode = 0775
force directory mode = 0775
guest ok = no
On each directory I have run "chown xxx:users /home/xxx" and "chmod 0775 /home/xxx" to avoid any ownership or access issues between users.
Problems:
1) when I change readonly to yes in global and authorized users do not have write access.
2) when I leave readonly in global as 'no' then "nobody" can write and change files??
3) when I add "nobody = *" to the user.map file nobody can log in or browse anything???
Am I approaching this the wrong way?
Cheers,
Darren
________________________________________________________________
Sent via the WebMail system at shelbrook.com
More information about the samba
mailing list