Shannon Adams
asked on
Need advice in Red Hat 8.0 Samba security
I use Samba/Red Hat 8 for sharing files by department within my organization. The issue I have is with the payroll share. Numerous IT sys admins have root access, thus have access to payroll documents. I want to create special security on this share so that only the HR department can open the share or files under the share. What options are available for doing this? I don't want to take away root access from the sys admins.
Thanks.
Thanks.
rindi
In linux root allways has full access...
> What options are available for doing this? I don't want to take away root access from the sys admins.
you need ACLs, but I'm not sure if this works with Samba.
you need ACLs, but I'm not sure if this works with Samba.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
As rindi said, if you have root in Linux, then you have access.
Therefore, the only technical solution is to have the HR people keep their data encrypted with keys the admins don't have access to (using PGP, for example).
Another way to deal with this problem is to put in place audit-logging capabiltiies and audit whether anyone is using root to view these sensitive files. And, more importantly, to implement a very widely communicated policy that people will be fired on the spot if they are caught abusing their root priveleges.
Therefore, the only technical solution is to have the HR people keep their data encrypted with keys the admins don't have access to (using PGP, for example).
Another way to deal with this problem is to put in place audit-logging capabiltiies and audit whether anyone is using root to view these sensitive files. And, more importantly, to implement a very widely communicated policy that people will be fired on the spot if they are caught abusing their root priveleges.
> .. the only technical solution is to have the HR people ..
chris_calabrese, slighly disagree, using ACLs and/or SELinux can do it (but see ppfoong's link)
chris_calabrese, slighly disagree, using ACLs and/or SELinux can do it (but see ppfoong's link)
Use following Samba server configurations...
Samba Users: Add new samba users (hr)
Server Settings : Authentication Mode =user
on the perticular samba mount folder --> Properties --> Access --> Only allow to specify users --> select " hr" user.
so this perticular sambe mount can access only from "hr" user. Not even from root.
BR
Dushan
Samba Users: Add new samba users (hr)
Server Settings : Authentication Mode =user
on the perticular samba mount folder --> Properties --> Access --> Only allow to specify users --> select " hr" user.
so this perticular sambe mount can access only from "hr" user. Not even from root.
BR
Dushan