asked on
Samba Security Improvement for Writable Directories
Hello,
Below, I have this old Samba share to a Linux system that I know is pretty wide open. There is some old legacy software dependencies upon the way it is implemented below, as it is mounted as a single drive letter in Windows (etc.). It also works pretty well without a lot of administration (to a fault, of course, again I know its a bit insecure). We work in large work group (we're a Linux dominated environment, and no Active Directory.
Anyway, enough of that. My question in terms of Samba is this: How can I, or can I, only make certain (sub) directories writable via only a Samba directive (not changing the Linux system directory attributes ... the Linux system software proper might need those attributes to be unchanged)? All suggestions will be noted, although I'm after a Samba-only solution, generally. Thanks!
[unix]
comment = unix
force user = xyz
force group = xyz
create mode = 0000
force create mode = 0660
directory mode = 0000
force directory mode = 0770
path = /
read only = no
guest ok = yes
guest only = yes
hosts allow = 192.168.201.
mangled names = no
hide special files = yes
hide unreadable = yes
hide unwriteable files = yes
veto files = /.*/
hide files = /tmp/
veto files = /.*/bin/boot/cgroup/dev/dt
net/opt/proc/root/sbin/sel
usr/var/lost+found/
Below, I have this old Samba share to a Linux system that I know is pretty wide open. There is some old legacy software dependencies upon the way it is implemented below, as it is mounted as a single drive letter in Windows (etc.). It also works pretty well without a lot of administration (to a fault, of course, again I know its a bit insecure). We work in large work group (we're a Linux dominated environment, and no Active Directory.
Anyway, enough of that. My question in terms of Samba is this: How can I, or can I, only make certain (sub) directories writable via only a Samba directive (not changing the Linux system directory attributes ... the Linux system software proper might need those attributes to be unchanged)? All suggestions will be noted, although I'm after a Samba-only solution, generally. Thanks!
[unix]
comment = unix
force user = xyz
force group = xyz
create mode = 0000
force create mode = 0660
directory mode = 0000
force directory mode = 0770
path = /
read only = no
guest ok = yes
guest only = yes
hosts allow = 192.168.201.
mangled names = no
hide special files = yes
hide unreadable = yes
hide unwriteable files = yes
veto files = /.*/
hide files = /tmp/
veto files = /.*/bin/boot/cgroup/dev/dt
net/opt/proc/root/sbin/sel
usr/var/lost+found/
Linux SecurityWindows NetworkingLinux NetworkingLinux
Last Comment
racone