Security :: Does Samba ACL Take Precedence Over Standard Unix Permissions?
Apr 9, 2010
I have a folder in a Samba shared drive which I've done the following with (in Unix):
1. Changed owner to Administrator.
2. Changed group owner to Domain Users.
3. Granted 700 (drwx------) permissions
4. Connected to Windows server via remote desktop
5. Mapped the Samba network drive as administrator
6. Right clicked on the folder > properties > security tab > advanced, and added one person (let's call him Joe) who has rwx access on that folder and everything in it. (along with administrator)
7. Went back to check Unix permissions on the folder and found that they had changed from drwx to drwxrwx+. Same goes for everything inside it.
8. Checked the ACL.
View 1 Replies
ADVERTISEMENT
Jul 20, 2010
On Windows, you can go to a file's permissions and it's clearly stated who can do what. You can choose between individual users or groups such as 'everyone' or certain types of users such as 'domain users'. You could create a clear cut list of every single user/group on the system and what their permissions for a file are and have it neatly displayed in a list.On Unix, we have octal permissions and sticky bits. I understand the whole concept of rwxrwxrwx (777). The first three are what the file owner can do, the second is what the main group the user belongs to can do, and the third is what other users can do.
But, when you view a file's permissions you are only getting the permissions as they apply to the user that owns the file. For example, as I understand it, if I viewed a file that only the root user had rwx permissions on and everyone else could only read. The permissions would show up as rwxr--r-- (744). But, those same permissions would show up to any user as 744 as well. Since the last 3 characters are what applies to "other users" (pretty vague). How would someone know what users in particular those permissions apply to? There could be one "other user" that can rwx that file and another "other user" that can't.Also, why just stop with the main group? What about other groups? A the user Foo's main group he belongs to might be Foo. But he could also belong to the groups Boo and Zoo, which belong to other users and would give him full rwx permissions over Boo and Zoo's files just as if he were Boo or Zoo.
Then you have the whole sticky bit thing that makes it so that files can be owned by the same person and at the same time be made use of (to varying degrees) by other users. To chmod the UID you'd chmod 2777 or for GID 4777 (just an an example). I did this for a file and it allowed a standard user account who was previously unable to run the command to be able to run it. But, how can that work when I didn't anywhere specify what particular user (or groups of users) that sticky bit applies to?
I'm confused about this whole thing to the point that I'm not even sure exactly what questions I should be asking or even if my examples are even 100% correct. I just sort of ranted about some specific things that floated to the top of my head. Permissions are easy to understand when your running a Unix-like system on a single user desktop. Because the only users/groups you have are root, the single user, and various system users/groups that you don't really need to worry about. So a file with rwxr--r-- means that only the Root user (not even members of his group) can edit the file and you can't unless you use sudo. Because the "other user" in the last 3 characters always just means you. But, things seem to get a whole lot more complicated when you start adding in multiple users. Can someone explain this or link to a "for dummies" article that can explain all of this to me in a way that someone who's used to Windows style permissions can make a connection between the two OS families and their way of handling these things?
View 9 Replies
View Related
Jan 10, 2011
I have a question regarding Samba Permissions. As the subject described, is it possible to let users read the file but can not copy the file physically? It's fine if they open and copy paste the contents but no physical copy paste and also I need to log the activity of the users. If samba will not be able to comply my needs, could you suggest some programs to meet my requirements?
View 3 Replies
View Related
Mar 18, 2010
I wish to prevent the samba messages (mainly nmbd and winbindd) from appearing in the system log (/var/log/messages). I want to allow samba logging to the standard samba logfiles, but prevent the syslog getting clogged up by samba. I added syslog = 0 to smb.conf and reloaded the config but the messages were still appearing. I also tried the following (and restarted the syslog via /sbin/service syslog restart) # Suppress messages from samba.
nmbd.* /dev/null
smbd.* /dev/null
winbindd.* /dev/null
For interests sake the messages I'm getting are below (I'm not concerned about the messages themselves, I can chase them up at my leisure via the samba logs) Mar 18 09:58:29 SERVER nmbd[3808]: query_name_response: Multiple (2) responses received for a query on subnet xx.yy.z.zz for name DOMAIN<1d>. Mar 18 09:58:29 SERVER nmbd[3808]: This response was from IP xx.yy.z.zz, reporting an IP address of xx.yy.z.zz.
View 1 Replies
View Related
Mar 11, 2010
Been running 64 bit fedora for a few weeks now and all is dandy. I have been having problems using Wine & Winetricks to install extra components. Wine seems to crash when ever i try to run something as a standard user. Run as root and the problem doesnt happen. Do i need to add some permissions to run under a standard user? With Winetricks, when i go to install any componet, after extracting and installing all files i get:
'Executing early_wine regedit c:winetrickstmpoverride-dll.reg
regedit: File not found "c:winetrickstmpoverride-dll.reg" (2)
Note: command 'early_wine regedit c:winetrickstmpoverride-dll.reg' returned status 1. Aborting.'
Now i have searched everywhere for these .reg files that are not found, havent found anywhere that can tell me where to retrieve these files.
View 2 Replies
View Related
Jul 1, 2010
Unix permissions 000 given to directories.I m testing Netatalk 2.0.5 on my fedora machine with afpfs-ng. I m using afpcmd command to access the volumes on the netatalk server. the directories that i m creating via afpcmd are being created with permissions 000. I cannot browse thru them.
View 3 Replies
View Related
May 19, 2010
is there a way to view the Unix permissions for a file under Windows?
View 1 Replies
View Related
May 11, 2010
I have one Ubuntu server 9.04 with samba domain. I have one Xp pro in this domain. When the XP computer logon, the theme is classic... How can I change that? I want the standard XP theme......
View 3 Replies
View Related
Jun 9, 2010
i want to know how to connect it to debian,fedora, mandriva, puppy (or any other distro thats independant and most software needs to be installed with tarballs)and i also want to learn to connect to it with mac os x, and solaris (open solaris)
View 10 Replies
View Related
Sep 9, 2010
I'm using [URL] to help set up my server for windows file sharing. I accedently pressed unix file sharing and now i can switch it to windows file sharing.it would be fine to uninstall the Unix file sharing and replace it with the windows counterpart.I have Ubuntu desktop 10.04 (because i keep getting an error with the kernel with the server editions)
View 1 Replies
View Related
Feb 10, 2010
I maintain a samba PDC for a small business, our current setup does not work very well; on a hardware upgrade I directled imported the old ldap database and attempting to add machines to the domain causes all sorts of trouble.
I'm 95% sure the original database (which predates my employment) was created using the idealx smb-ldap tools, unfortunately on our current platform (debian lenny) these tools seem to be broken; the only things hey seem to do reliably are set passwords and add posix users, asking them to do anything involving samba/windows causes errors. The idealx tools seem to be abandoned, and I don't know enough perl to try and fix them.
Since the idealx scripts seem to be abandoned, and most of the good samba+ldap how-tos references the idealx tools, I was wondering what people use nowadays to manage there ldap directories; surely they aren't importing .ldif files to add new users/machines like I've been doing. Are people just writing thier own management scripts/web-apps? Or are the smb=ldap tools just broke on debian?how to generate the NT/LM password hashes and proper SIDs, does anybody have anything they could point me to about this?
View 1 Replies
View Related
Jul 28, 2010
I'd like for the server (10.04) to keep samba passwords and unix passwords "in sync"; i.e. when a user changes his unix password (via passwd), his Samba password is automatically changed to match the unix password. Similarly, when a user changes his samba password (via smbpasswd), then his unix password is changed to match. smb.conf seems to make provision for this; following are the applicable entries from my smb.conf:
Code:
obey pam restrictions = Yes
pam password change = Yes
[code]....
View 2 Replies
View Related
Apr 21, 2010
I setup openldap and samba on 9.10. The ubuntu desktop client gets authenticated successfully with the server.
But when I do a passwd on the client, only the ldap passwd is getting changed but not in the samba and the unix user account.
My smb.conf
Code:
passdb backend = ldapsam:ldap://192.168.3.100
ldap suffix = dc=example,dc=local
ldap user suffix = ou=People
ldap group suffix = ou=Groups
[Code]....
View 4 Replies
View Related
Jan 28, 2010
I found a behavior of iptables on FC12 to be different and suspect it's broken somehow. Here is what I did
# iptables -F
# iptables -A INPUT -s 127.0.0.1 -p tcp --dport 22 -j ACCEPT
I don't have a shell on FC12 with me to show the output of iptables -L -n but it looks good after above 2 commands. However, after issuing the following third command iptables -L -n gives "wrong" result
# iptables -R INPUT 1 -s 127.0.0.1 -p tcp --dport 22 -j ACCEPT
Namely iptables -L -n gives extra "/0" after 127.0.0.1 in the output I have checked on Ubuntu 9.10 and centos 5.4 and they don't give extra "/0"; iptables is not supposed to do that. Of course, I didn't invent these examples but they are abstracted from actual real life scenerio of trying to build rules on our servers.
View 3 Replies
View Related
Apr 21, 2010
I setup openldap and samba on 9.10. The ubuntu desktop client gets authenticated successfully with the server. But when I do a passwd on the client, only the ldap passwd is getting changed but not in the samba and the unix user account.
My smb.conf
Code:
passdb backend = ldapsam:ldap://192.168.3.100
ldap suffix = dc=example,dc=local
ldap user suffix = ou=People
ldap group suffix = ou=Groups
[code].....
But only the ldap password is getting changed and not in the samba and unix user account.
I tried
unix password sync = yes
but same result.
View 1 Replies
View Related
Sep 11, 2010
I have setup a Centos5.5 VMWare guest with Samba and Winbind for Active Directory integration, using GUI tools. Authentication works flawlessly, with automatic home directory creation. What I want to achieve now is using local UNIX groups to controll access to shared folders, to avoid bothering AD administrators with groups management. This is my smb.conf global section:
workgroup = COGITANS
password server = domainserver.hq.cogitans.it
realm = HQ.COGITANS.IT
security = ads
[code]....
'finance' is a local UNIX group where I added user 'COGITANSalberto' (I also tried with 'alberto') as a secondary group (primary group is 'domain users' and it cannot be changed). I am sure the user is added, because it is listed in 'getent group'. If I specify user COGITANSalberto in valid users it works, i.e. only that use can access the share, the others get a NT_STATUS_ACCESS_DENIED error. But if I use +finance, access is denied to everybody, and this is the log:
[2010/09/11 14:12:37, 10] smbd/share_access.c:user_ok_token(211)
User COGITANSalberto not in 'valid users'
[2010/09/11 14:12:37, 2] smbd/service.c:make_connection_snum(617)
user 'COGITANSalberto' (from session setup) not permitted to access this share (finance)
[code]....
It seems like winbind cannot recognize finance as a local group. For the same reason, I guess, 'force group = finance' does not work either (files are created with 'domain users' group ownership). My /etc/nsswitch.conf:
passwd: files winbind
shadow: files winbind
group: files winbind
Grants and ownership on the '/repositories/shared/finance' folder are
root:domain users with permissions 775
View 2 Replies
View Related
Nov 9, 2009
I'm using iptables with modules ip_contrack_ftp to be able to use passive ftp. It works well as long as port 21 is being used as listening port. Is there any way to make it work when I configure my ftp server (vsftpd) to listen on an alternative port, lets say 21001 or something? The helper module only seems to be working properly with the standard port, so I was wondering whether there was a way to "tell it" that another port is being used? I mean, of course I make a rule in fw to allow traffic to the alternative port.
But once it's time to start passive connection, then the iptable module cannot handle it properly. I could solve the problem by making a range of passive ports in the ftp-server configuration and allow the incoming traffic to them, but then using helper modules doesn't make any sense. I just want to allow the traffic to the listening port and then want the ip_contrack_ftp module to take care of the rest. This is what I do today - but only port 21 seems to be working. Is there a way to do this with a non-standard ftp port?
View 5 Replies
View Related
Jan 28, 2011
Slipping some (non-root) user a piece of malignant code that he or she executes might be considered as one of the highest security breaches possible. (The only higher I can see is actually accessing the root user) What can an attacker effectively do when he/she gets a standard, (let's say a normal Ubuntu user) to execute code? Where would an attacker go from there? What would that piece of code do?
Let's say that the user is not stupid enough to be lured into entering the root/sudo password into a form/program she doesn't know. Only software from trusted sources is installed. The way I see it there is not really much one could do, is there?
Addition: I partially ask this because I am thinking of granting some people shell (non-root) access to my server. They should be able to have normal access to programs. I want them to be able to compile programs with gcc. So there will definitely be arbitrary code run in user-space...
View 2 Replies
View Related
Mar 17, 2010
I'm running Apache2 under uBuntu 9.10. My problem is that I use my own user "wavesailor" to work on my websites. I kept all my sites under /var/www and I set up the security of the directory after following the guidelines.
Code:
sudo chown -R root:root /var/www
sudo chown -R www-data:www-data /var/www/*
[code]...
View 4 Replies
View Related
Jul 26, 2011
I have one of these nifty Atom based "net-top" boxes that has built in wireless N and gigabit ethernet. the problem I have is that even when the ethernet cable is plugged in Ubuntu seems to be defaulting to use the wireless connection. This is a problem since in some areas of the house where I have a wired connection the wireless signal is pretty weak and so the ethernet traffic becomes spotty.
is there a setting somewhere where I can force ubuntu to prefer the wired over wireless no matter what, or to disable the wireless when the ethernet is plugged in?
View 2 Replies
View Related
Jun 25, 2010
I can not manage file/folder permissions for created shares. I need get access from Win system to Linux shares. Actually I have access to its, but only to read folders and files. I tried to change permissions in create mask = 0765 and set it to 0777, but no success.
1.Added user
# adduser samba
# smbpasswd -a samba #set his password
# smbpasswd -e samba #activating it
2. Installing SAMBA service
[Code].....
Folder /media/DATA/VIDEO not browseable and cant't enter it on Win system. It located on USB External HARD Drive, and attached to Linux system.
View 7 Replies
View Related
Mar 19, 2010
I've got a samba share on a linux server, connecting to it with a windows 2k3 server via tools > map network drive. The goal is to be able to use windows to change the security of the samba share. The good news is it works! The bad news is it's not QUITE perfect:
The share is called /company. I started with the following to give everyone access to everything, set the owner of the share to administrator (my domain admin on the Windows domain), and set the group owner to domain users (group that everyone on the domain is part of):
Code:
chmod -R 777 /company
chown -R administrator /company
chgrp -R domain users /company
I then mapped the drive as a regular user, and of course, can access/modify/delete/rename/create anything I want. Then I picked a folder to lock down. Let's call it /company/myFolder. I did this on the Windows server by mapping the drive as administrator (the owner), right click > properties > security tab > advanced > highlight "domain users" and "everyone" and click edit > clear all (i.e. remove all access). Go back to Linux and
[Code]..
The only issue that remains is that I am able to rename/delete "myFolder" as a regular user. I thought this was coming from the "acl map full control = true" parameter in smb.conf, but I changed it to false and verified the change and it still happens. If I remove group and world write access to /company, I am no longer allowed to rename/delete myFolder, but then I can't create a new folder. If I add group write access back in I can create files but can also rename/delete folders within /company that have --- specified for group access. Any ideas what I need to tweak to make this right?
View 1 Replies
View Related
Feb 17, 2011
I have a problem with file permissions over samba. I am running a web server, and this web server needs to be able to delete a file. The php code is correct, because it works on other sites. The php code is failing when it deletes a file because it is being ran as the www-data user. And the permissions on the files that are created on the share are as follows:
ns$ ls -l
-rwxr-xr-x 1 root root 129628 Feb 6 08:16 20110206071748532.pdf
This directory is mounted on:
/var/www/files/23982dbb7a454425ce17a22bedc00776/scanned/AEC_Scans
This is done with the /etc/fstab file:
//192.168.58.2/Scans /var/www/files/23982dbb7a454425ce17a22bedc00776/scanned smbfs username=administrator,password=somepass
[Code]...
View 6 Replies
View Related
Apr 6, 2010
I am using my Red Hat Linux 9 box for samba server. I want to connect samba dir with two different permissions.
View 2 Replies
View Related
Sep 11, 2010
This is a interesting confusing problem.Ok I have group with 3 users.I have a folder in /home with owner as root, and group that has read/write permissions.However if a user opens up a file and saves it via samba, the owner changes to the user, and the group members only have read permissions on the file.
View 4 Replies
View Related
Mar 22, 2010
i have an old desktop that i have decided to use as a central point for localhost/website files. I have 2 laptops, a ubuntu and vista, and i want them both to be able to see the public_html folder on my desktop, and be able to create/update folders and files.
I have set up the samba sharing and that's working fine, but when i create folders using my laptop, they are not writeable to the desktop or other laptop because my laptop is the creator. Is there a way that I can set it so that whenever folders/files are created from either laptop, they have full permissions?
View 2 Replies
View Related
Jun 6, 2010
When I create a new folder on my ubuntu machine and share it with my windows 7 machine using 'net usershare add <dir> <path>', I can't get write perms in Win 7. It keeps giving me a "You need permission to perform this action'. I've chmod the folder to 777 but still no luck.
The funny thing is, it was all working fine until I tried to add a new usershare yesterday (Can't think what I've changed). I use this sharing method to share all of my development /var/www/ folders so I can work on them from my win machine.
I have had a few problems with my samba smb.conf, and it nuked and rebuilt yesterday. I'm fairly new to the Linux game, and this permissions problem has me baffled.
View 1 Replies
View Related
Nov 18, 2010
I am trying to set up a Samba share on one of my machines where I am the owner and a special group manages permissions for read-only access ( me:specialgroup ). If I log into the share as me, there is no problem (I have read/write privs as per usual). However, I am not able to log into the share using any of the group members (there is only one currently). That user is not able to access the share (failed to mount).
The folder (which is the share) is owned by me:specialgroup and the permissions have been forced down the folder. Samba is set to Share this folder with no guest or others write access.
View 9 Replies
View Related
May 20, 2010
I'm attempting to set up a Samba share on my lab's small server (Ubuntu Server Edition, 10.04). It looked easy enough, but the share that I set up didn't allow anyone to actually put anything on it: no uploading stuff, etc. (You can still upload files via the command line, so I implemented the unix extensions = no fix). The share is writeable and visible, and anyone can access it (according to the Samba GUI). According to the smb.conf:
[Share]
path = /home/something/Share
writeable = yes
;browseable = yes
guest ok = yes
The other Windows machines in the lab see the new server and its share automatically, although they can't make changes to it, like create a new folder in the share. Most of my lab uses Snow Leopard (OS X 10.6), and a few others use Windows. I can connect to the server using my MacBook either through the terminal or Finder -> Go -> Connect to server -> smb://blah.someplace.edu without problems.
I can do pretty much anything via the command line, but not through the Finder! If I want to create a new folder, it gives me an old-school error message (stupid blue face): "The operation can't be competed because you don't have the necessary permission." If I want to drag-and-drop a file from my desktop to the Share folder, I get a pop-up window (lock + blue face): "Type your password to allow Finder to make changes." If I do, then I get another pop-up: "One or more items can't be copied to "Share" because you don't have permission to read them. Do you want to copy the items you are allowed to read?"
View 3 Replies
View Related
Nov 17, 2010
I have a file server setup with samba integrated with swat management. The server isn't a domain controller. The file server is working well with the shares all working correctly except for one problem. I would like the users be able to manage the folder permissions from a windows PC. This can be done from a login as the root user if need be but, the key is that the system be manageable from the windows PC.
I have followed the instructions of multiple how to's but still get and error that access is denied when trying to apply permissions. I am able to search the server for users to add and the names resolve. What are the configurations that I should be looking at where the NT permissions in samba are configured. nt acl support is set to yes and any other acl settings used produce the same result.
View 2 Replies
View Related
