RE: Samba Permissions

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M+\Craig White at <-
MMMEric Shubert at ->
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Lisa Kachold
Date:  
To: plug-discuss, klsmith2020
Subject: RE: Samba Permissions

Hey Eric,
{How are you?}

(a) Linux system permissions take precedence over Samba permissions.

For example if a directory does not have Linux write permission,
setting samba writeable = Yes (see below) will not allow to write to
shared directory / share.


(b) The filesystem permission cannot be take priority over Samba permission.
For example if filesystem mounted as readonly setting writeable = Yes
will not allow to write to any shared directory or share via samba
server.




In short:



Limits set by kernel-level access control such as file permissions,
file system mount options, ACLs, and SELinux policies cannot be
overridden by Samba. Both the kernel and Samba must permit the user to
perform an action on a file before that action can occur.




Samba Basic permissions are as follows (configuration file is smb.conf [/etc/samba/smb.conf]):



read only: This parameter controls whether an user has the ability to create or modify files within a share. This is default. guest ok: Uf this parameter is set to yes, the users will have access to the share without 


having to enter a password. This can pose security risk.writeable: Specifies users should have write access to the share.    
To enter a directory, it requires a set execution bit. With 770 only the owner and group members can enter it.


Your umask here is 775, not 770.

[ipc] 

        path = /ipc


        public = no


        writeable = yes


        guest ok = no


        create mask = 775


        force create mode = 775


        force directory mode = 775
directory mask = 2770


create mask = 770

force create mask = 770 

        valid users = @ipc-users


        inherit permissions = yes


Also what does your global smb section contain?
create mask = 0644
directory mask = 0755
Nosis| Obnosis | (503)754-4452



PLUG Linux Security Labs 2nd Saturday Each Month@Noon - 3PM
Date: Mon, 16 Mar 2009 08:48:51 -0700
Subject: Re: Samba Permissions
From:
To: ;

Sorry for the late reply:

The Linux permissions include:

/ipc group:ipc user:ipc

/ipc/ipc group:ipc user: ipc
/ipc/cbs group: cbs user:cbs

Two companies (IPC, CBS) get each folder. IPC employees don't need access to cbs, but cbs needs access to ipc. I created CBS users and added them to the cbs group, the ipc group, and the ipc-users group. I chmoded everything to 770. The users didn't have access. Below are my samba settings


[ipc]
path = /ipc
read only = no
create mask = 0775
valid users = @ipc-users

If I chmod to 777, they have access, if they change it to 770, they don't, making me thing I don't have the groups properly setup. if I run "groups <some_user>", it shows the correct groups added.


Thanks,
Eric

On Fri, Mar 13, 2009 at 8:38 PM, keith smith <> wrote:



My configuration looks slightly different 

[bill]
        path = /work/bill
        writeable = yes
        browseable = yes
        valid users = bill


The directory is owned by bill:bill with permissions at 755 which I think is the default permissions.


If I recall correctly when you try to map the drive in Windows you will be promoted for the password. And every time there after.


------------------------
Keith



--- On Fri, 3/13/09, Lisa Kachold <> wrote:

From: Lisa Kachold
<>
Subject: RE: Samba Permissions
To:

Date: Friday, March 13, 2009, 7:14 PM




Eric Wrote:

Hello all,
I have a FreeBSD box running Samba. I have the permission set to 0770 so anyone in the group can read, write, or execute. I can create files via the shell. However, I can't write anything without 777 permissions. Any ideas? I'd rather not leave permissions like that.


Thanks,
Eric

Lisa responds:









A complete discussion of SAMBA permissions, like all security is going
to have to be in context. I.E. do you have shell users on this box?
What are you sharing and how do you need to limit it?





Generally what escapes people starting to play with SAMBA is that security is two tiered:





(a) Linux system permissions take precedence over Samba permissions.
For example if a directory does not have Linux write permission,
setting samba writeable = Yes (see below) will not allow to write to
shared directory / share.
(b) The filesystem permission cannot be take priority over Samba permission.
For example if filesystem mounted as readonly setting writeable = Yes
will not allow to write to any shared directory or share via samba
server.



In short:



Limits set by kernel-level access control such as file permissions,
file system mount options, ACLs, and SELinux policies cannot be
overridden by Samba. Both the kernel and Samba must permit the user to
perform an action on a file before that action can occur.



Samba Share Permission HowTo:


Samba Basic permissions are as follows (configuration file is smb.conf [/etc/samba/smb.conf]):



read only: This parameter controls whether an user has the ability to create or modify files within a share. This is default. guest ok: Uf this parameter is set to yes, the users will have access to the share without 


having to enter a password. This can pose security risk.writeable: Specifies users should have write access to the share.    



You can create the share called "foofiles" with read only permission




[foofiles]

path = /usr/share/docs

read only = Yes



You can create the share called salesdoc with write permission

[salesdoc]

path = /home/shared/sales

writeable = Yes



You can also create a list of users to give write access to the share with write list option. For example allow rocky and tony to write to the share called sales:



[salesdoc]

path = /home/shared/sales

write list = rocky tony





You can use following options 



read list:  This option accepts a list of usernames or a  group as its value. Users will be given read-only access to the share.
valid users:    You can make a share available to specific  users.  Usernames or group names can be  passed on as its value.invalid users:  Users or groups listed will be denied access to this share.




Samba masks:




Specify samba default file creation permission using mask.



create mask: This option is set using an octal value when setting permissions for files.directory mask: Directories must have the execute bit for proper access. Default parameter is 0755.





[salesdoc]

path = /home/shared/sales

write list = rocky sys

create mask = 0775


excerpted from: http://www.cyberciti.biz/tips/how-do-i-set-permissions-to-samba-shares.html




<joke>ERIC: Post your configuration with a complete diagram of your network and use? </joke>


Nosis| Obnosis | (503)754-4452




PLUG Linux Security Labs 2nd Saturday Each Month@Noon - 3PM


Express your personality in color! Preview and select themes for Hotmail®. See how.
---------------------------------------------------
PLUG-discuss mailing list -

To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss






---------------------------------------------------

PLUG-discuss mailing list -

To subscribe, unsubscribe, or to change your mail settings:

http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss


_________________________________________________________________
Windows Live™: Life without walls.
http://windowslive.com/explore?ocid=TXT_TAGLM_WL_allup_1a_explore_032009---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: Samba PermissionsRe: Samba Permissions->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)