| View previous topic :: View next topic |
| Author |
Message |
Dionysos
n00b
Joined: 13 Jun 2003
Posts: 29
|
 Posted: Fri Oct 14, 2005 10:19 pm Post subject: Unwanted access to homefolder |
 |
|
I have set up samba for a couple of shares, and I think it's secure enough. But i have a problem that everybody can access the homefolder share to others if they type the unc path manually (others home shares is not browsable). I have tried to set valid users = %U, but it is not working. Here is some of my smb.conf file:
| Code: |
[homes]
comment = Home folders
browseable = no
writable = yes
valid users = %U
create mode = 0750
[Movies]
comment = My movies
path = /home/movies
public = no
writable = yes
browseable = yes
printable = no
nt acl support = yes
create mask = 0770
directory mask = 0770
security mask = 0777
directory security mask = 0777
valid users = +users
hide dot files = yes
hide unreadable = no
hide unwriteable files = no
|
Can somone please help me, as I dont want other people to access my personal home folder.
I am also wondering how to control ownership and security on files created on public shares. I want that all files and folders created on a share woul have root as owner, users as group, and RWXRWX--- as effective permissions. Any thougths about how i can make this happen automatically?
Regards
Dionysos |
|
| Back to top |
|
 |
rojaro
l33t
Joined: 06 May 2002
Posts: 732
|
| Posted: Sat Oct 15, 2005 3:50 am Post subject: |
|
|
Hi,
for your users problem, the following configuration should be sufficient.
| Code: | [homes]
comment = Your Home Directory
browseable = no
writable = yes
read only = no |
your other problem should be fixed with a configuration similar to this one
| Code: | [tradefolder]
comment = Trade Folder
path = /storage/global/trade
valid users = @users
writeable = yes
printable = no
force create mode = 0664
force directory mode = 2775 |
Make sure the directory and the directories within are set to mode 2775.
| Code: | | find -type d -exec chmod 2775 {} ';' |
and the files are set to 0664
| Code: | | find -type f -exec chmod 0664 {} ';' |
If you just want to have a specific group of your users to access the "tradefolder" share, change the value of the "valid users" option to e.g. "@movies" and set the directory modes within the configuration and the script below to 2770. The file modes you can leave as they are.
Hope this helps :)
- rojaro -
_________________
A mathematician is a machine for turning coffee into theorems. ~ Alfred Renyi (*1921 - †1970) |
|
| Back to top |
|
|
Dionysos
n00b
Joined: 13 Jun 2003
Posts: 29
|
| Posted: Sat Oct 15, 2005 12:12 pm Post subject: |
|
|
Thank you for the reply, but I'm sorry to say that none of your tips worked.
I cant browse other peoples home shares, but if I type the unc path, lets say \\gentoo\otheruser, i can see the share. How can I prevent this? I thought valid users would help, but it don't. It works on normal shares, but on home folders I cant type the username or group directly. So u tried to replace the username with %U, but that wont work eighter.
Other people must have had the same problem, so i hope somone can help me...
Regards
Dionysos |
|
| Back to top |
|
|
rojaro
l33t
Joined: 06 May 2002
Posts: 732
|
| Posted: Sat Oct 15, 2005 4:43 pm Post subject: |
|
|
Hi again,
Oh i see your problem now :)
That is actually really easy to solve. Just give every user their own group ("groupadd username") and change ownership of the users home directory with "chmod username:username /home/username" ... you could do this with a very simple script like this one:
| Code: | for i in $(awk -F ":" '{print $1}' < /etc/passwd) ; do
[ -x /home/$i ] && groupadd $i && chown -R $i:$i /home/$i && chmod 2770 /home/$i
done |
This way no other user is able to have a look at another users homedirectory unless he is within the users own group. Your /home directory should look then similar to this one:
| Code: | drwxrws--- 23 akrahl akrahl 776 Aug 21 15:53 akrahl
drwxrws--- 2 asahraoui asahraoui 104 May 19 12:07 asahraoui
drwxrws--- 11 bbehnk bbehnk 480 Dec 7 2004 bbehnk
drwxrws--- 18 cfankhauser cfankhauser 904 Aug 22 15:56 cfankhauser
drwxrws--- 2 cjasmand cjasmand 104 Mar 9 2004 cjasmand
drwxrws--- 11 ckrebs ckrebs 480 Dec 7 2004 ckrebs
drwxrws--- 5 ekrautschick ekrautschick 224 Jul 14 15:50 ekrautschick
drwxrws--- 2 feggert feggert 104 Jan 5 2004 feggert
drwxrws--- 27 feichmann feichmann 1000 Apr 4 2005 feichmann
drwxrws--- 17 gdeiters gdeiters 648 Aug 30 10:40 gdeiters
drwxrws--- 2 holtappels holtappels 48 Oct 31 2003 holtappels
drwxrws--- 15 kbantje kbantje 984 Feb 17 2005 kbantje
drwxrws--- 8 kfremmer kfremmer 816 Jul 18 12:45 kfremmer
drwxrws--- 4 khelms khelms 160 Dec 7 2004 khelms
drwxrws--- 18 kschumann kschumann 1344 May 23 12:46 kschumann
drwxrws--- 16 nhillebrand nhillebrand 800 Jul 15 08:28 nhillebrand
drwxrws--- 9 oschaefke oschaefke 440 Sep 27 2004 oschaefke
drwxrws--- 5 psattelmeyer psattelmeyer 280 Jan 27 2005 psattelmeyer
drwxrws--- 11 rrogge rrogge 1024 Apr 25 11:07 rrogge
drwxrws--- 4 rwetzel rwetzel 160 Dec 16 2004 rwetzel
drwxrws--- 11 sallam sallam 648 Jan 9 2005 sallam
drwxrws--- 2 sbarth sbarth 104 May 18 14:21 sbarth
drwxrws--- 7 sgrashoff sgrashoff 304 Mar 24 2005 sgrashoff
drwxrws--- 18 tpetter tpetter 864 Jul 14 18:30 tpetter
drwxrws--- 14 tsaleina tsaleina 576 Apr 4 2005 tsaleina |
That should solve it :)
However, if this still doesnt work, i can send you the smb.conf file of one of my fileservers at my company. It is actually configured exactly as described and works perfectly.
- rojaro -
_________________
A mathematician is a machine for turning coffee into theorems. ~ Alfred Renyi (*1921 - †1970) |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
