[Samba] how to prevent copying programs on local harddisk from samba share

Gaiseric Vandal gaiseric.vandal at gmail.com
Thu Oct 14 08:58:58 MDT 2010


What is the program they are running?   What kind of files?   Is the 
issue that once they give them selves write access they are then able to 
read data they couldn't see before?




On 10/14/2010 04:19 AM, Daniel Müller wrote:
> I think you can restrict users of installing programs with policies but you
> cannot restrict of running a executable which does no install at all
>
> -----------------------------------------------
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
>
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: mueller at tropenklinik.de
> Internet: www.tropenklinik.de
> -----------------------------------------------
>
> -----Ursprüngliche Nachricht-----
> Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im
> Auftrag von Hubert Choma
> Gesendet: Donnerstag, 14. Oktober 2010 08:48
> An: samba
> Betreff: [Samba] how to prevent copying programs on local harddisk from
> samba share
>
> Hello
>
> Ia have samba PDC 3.3.8-0.52.el5_5.2 on centos 5.5. My clients - win XP
> PRO SP3.
>
> I have noticed that some users copy from sama share whole catalog with
> program and run it from local drive where they got full access.
> Write access for This share [geo$] is only for @geo group! Others can't
> write . So they are workaround this !
>
> How can I prevent copying programs from samba shares to a local drives
> and run it from there? It is any possibility to secure programs and run
> it from samba shares only ?
>
> Please help!
>
> [global]
>          workgroup = geodezja
>          server string = Samba Server %v
>          interfaces = 10.10.10.0/255.255.255.0 127.0.0.1
>          bind interfaces only = Yes
>
>          update encrypted = Yes
>          client ntlmv2 auth = yes
>          log level = 2 vfs:3 auth:2 passdb:3
>          log file = /var/log/samba/%U.%m.log
>          max log size = 500
> #PERFORMANCE
>          socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
>          read raw = yes
>          write raw = yes
>          max xmit = 65535
>          large readwrite = yes
>
>          add user script = /usr/sbin/useradd "%u" -n -g users
>          add group script = /usr/sbin/groupadd "%g"
>          add machine script = /usr/sbin/useradd -n -c "komputer (%u)" -M -d
> /nohome -s /bin/false "%u"
> #       add machine script = /usr/sbin/useradd -g komputery -d /dev/null
> -s /bin/false -M "%u"
>
>
>          logon script = %G.CMD
>
>          logon path =
>          logon home =
>          domain logons = yes
>          os level = 128
>          preferred master = yes
>          domain master = yes
>          local master = yes
>          remote browse sync = none
>          remote announce = none
>          dns proxy = No
>          wins support = yes
>          name resolve order = wins hosts bcast
>          hosts allow = 10.10.10.0/255.255.255.0 127.0.0.1
>          hosts deny = ALL
>          security = user
>          null passwords = no
>          deadtime = 0
>          map to guest = never
>          create mask = 0777
>          nt acl support = no
>          time server = yes
>          enable privileges = yes
>          passdb backend = tdbsam
>          username map = /etc/samba/smbusers
>          hide dot files = yes
>          guest ok = no
>          name cache timeout = 60
>
>
> [geo$]
>          comment = Mapa
> #       oplock = yes
> #       level2oplocks = yes
> #       locking = yes
>          invalid users = @geodeta, at ewidencja,
>          write list = +geo
>          path = /home/samba/geo
>          force group = geo
>          force create mode = 0777
>          vfs object = recycle full_audit
>          recycle:repository = .recycle/%U
>          recycle:touch = true
>          recycle:keeptree = true
>          recycle:versions = false
>          recycle:exclude = *.TMP *.STP
>          recycle:directory_mode = 773
>          full_audit:prefix = %u|%m|%I|%S
>          full_audit:success = read pwrite write rename unlink rmdir mkdir
> lock
> pread
>          full_audit:failure = read write
>
>
>    



More information about the samba mailing list