[Samba] Security Hell

Darren Martz darren at shelbrook.com
Wed Aug 4 20:16:11 GMT 2004


I have been trying to setup two samba servers on Fedora Core 2 for the past 30 hours and am about to jump out a window.

I'm simply trying to create a few shares that multiple WinXP clients can have readonly access to and a select few have write privilages. Also, a few shares that are are private for a select few users with write privilages. In all cases, anybody should be able to browse the machine and access most shares.

I have read the smb.conf(5) manual many times... almost memorized the entire thing ;)

Valid users in the smbpasswd file include nobody and a few others.

Rather than explain my setup... here is a shorter version of my smb.conf file.

[global]
	log file = /var/log/samba/%m.log
	#log level = 3 passdb:5 auth:10 winbind:2
	workgroup = MYDOMAIN
	server string = 
	map to guest = Bad User
	username map = /etc/samba/user.map	
	dead time = 10
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	load printers = no 
	netbios name = MyServer
	invalid users = root
	wide links = no
	delete readonly = yes
	os level = 20
	security = user
	guest account = nobody
	browseable = yes
	read only = no
	default = software

[software]
        # public has read access and dmartz has write access
	comment = "Software Archives"
	path = /home/software
	username = nobody
	valid users = dmartz
	read list = nobody
	write list = dmartz
	force user = dmartz
	force group = +users
	force create mode = 0775
	force directory mode = 0775
	guest ok = yes
	read only  = no

[shivaun]
        # private share, shivaun & dmartz have write access
	comment = "Shivaun Martz Files"
	path = /home/shivaun
        valid users = dmartz, shivaun
        write list = dmartz, shivaun
        force user = shivaun
        force group = +users
        force create mode = 0775
        force directory mode = 0775
	guest ok = no
	
[darren]
	comment = "Darren Martz Files"
	path = /home/dmartz
	valid users = dmartz
	write list = dmartz
	force user = dmartz
	force group = +users
	force create mode = 0775
	force directory mode = 0775
	guest ok = no
	
On each directory I have run "chown xxx:users /home/xxx" and "chmod 0775 /home/xxx" to avoid any ownership or access issues between users.

Problems:
1) when I change readonly to yes in global and authorized users do not have write access.
2) when I leave readonly in global as 'no' then "nobody" can write and change files??
3) when I add "nobody = *" to the user.map file nobody can log in or browse anything???

Am I approaching this the wrong way?

Cheers,
Darren 




________________________________________________________________
Sent via the WebMail system at shelbrook.com


 
                   


More information about the samba mailing list