In this post we are going to dig into a quick and easy configuration of Samba.
In Windows with one click you can share folders and anyone can have access to your documents, to create and delete, and possibly upload mallicious software. On Linux thankfully we have permissions and other security measure some built directly into Samba which prevents this, although Linux could still be setup to share folders with one simple click.
Two basic security settings in Samba are Security=user and Security=share. I like to use Security=Share and that is what we will dive into first.
You can read more about the different security settings here. Basically security=share is a little more relaxed security wise and does not require usernames.
Not only do we have to deal with Samba permissions, we also have linux filesystem permissions to be concerned with, given that you are using a filesystem that supports permissions which is usually the case with Linux. The filesystem permissions supercede the Samba permissions.
Keep in mind in order for others who are not created as users on the host machine to view Samba shares, the permissions for others must be set so that they can execute the directory. This means in order to give others the permission to read and write to the shared directory they will need to have rwx permissions. In order to achieve this we will need to use the chmod command.
chmod -R 777 /directory/iam/sharing/
This will give everyone the ability to create and delete files in this directory I am creating.
This may seem like a gaping security hole, but luckily by default, files created through samba by other users are owned by nobody, which has extremely low permission and will not execute. This means that others cannot upload and run mallicious code. However, this settings could always be changed so that others could create files with more relaxed permission and not under the nobody user.
Read more about chmod and basic permissions here.
With this type of settings it would be more wise to only allow others to access and read the files in the directory. For this 775 permissions would be sufficient. (rx)
Let's say I want to create a shared directory of my mp3s and I want to allow selected users to create and add files to this directory.
One way to accomplish this would be to use security=user.
We will make a directory where we will store the mp3s.
mkdir /home/user/mp3s
We will create a group of users that are allowed to access these mp3s.
# groupadd mp3users
Next, we make sure that the mp3users own the mp3 directory, first making sure your user is a member of the mp3users group
# gpasswd -a user mp3users # chown -R user:mp3users /home/user/mp3s
Now you own the mp3 directory and it belongs to the mp3users group. Now we will change the access permissions of the directory so that you can read,write, and execute it, the members of the group can read, write and execute it, but others have no access.
#chmod -R 770 /home/user/mp3s
This takes care of the Linux setup of the directory. Now we must setup Samba.
First I will show you, my basic samba configuration. I stripped out a lot of the stuff that is unnecessary for me, to make my file simpler and easier to read.
/etc/samba/smb.conf ### Paul's Samba Configuration #======================= Global Settings ======================= [global] workgroup = MSHOME server string = %h ####### Authentication ####### security = user encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes Most of that is default. You may want to change workgroup=MSHOME to the workgroup that the computers in your house use, it is easier to MS computers to find other computer that are on the same workgroup, that's just the way it is. server string =%h This means that the hostname of the computer will be used as the network name of the machine through samba. Now we will append /etc/samba/smb.conf with the shares we want to setup. [MP3] comment = music path = /home/user/mp3s writeable = yes public = yes guest ok = yes valid users = paul rita @mp3users
[MP3] is the name of the share over the network.
Valid users restricts access to only the users and groups listed. Now we must create the user “rita” and add her to the mp3users group and enable her in samba. Here is how we do this.
adduser rita ## creates the user rita gpasswd -a rita mp3users ## adds rita to the mp3users group smbpasswd -a rita ## adds rita to the samba database smbpasswd -e rita ## enables the user rita in the samba database smbpasswd -n rita ## this makes it so rita does not need a password
Read more about restricting access through Samba here.
Smbpasswd is where passwords are stored, it handles samba access to your computer. The -n switch doesn't always work as intended for me. Keep in mind that the users will need the passwords created when you ran smbpasswd -a in order to access the shares.
You can change the guest account from nobody to somebody else by settings the following in the Authentification section of /etc/samba/smb.conf
guest account = mp3user
You can then control that user's permissions and which group he belongs to with the commands used above. Be careful because this is how you can grant anyone the permission to upload mallicious code.
You can also change the permissions of the files and directories that your guest users create by adding the following to the shares that you setup.
create mask = 0770 directory mask = 0770
This means that the files (create mask) will be rwx for the owner and those in the group, and directories (directory mask), will be rwx for the owner and those in the group.
Anyway, that is a quick Samba setup, and a crash course in permissions. You could do other things like making sure all your shared folders are owned by a “sambashare” group and add your selected users to that group. The choices are yours and yours alone. Good Luck.
