fbpx

Samba server security

Published by Shreyash Sharma on

This article gives an overview of the possibilities of some security settings of a Samba server. With regard to security, of course, there are always different options, some of which lead to the same goal. This article shows those configuration parameters that can sometimes be used to take simple but effective security measures. The settings were all tested on an Ubuntu 16 with Samba version 3.4.7.

Of course, the listed security measures are not complete, as there are an immense number of configuration options .

Network Access

Samba uses the “Primary Interface” for sending data by default. Therefore, with multiple NICs, Samba must be configured so that the server listens to the correct interface and sends data:

interfaces  = 127.0.0.1, 192.168.0.252/24
 bind interfaces only  = yes

The first line specifies the address range in which the server should listen (a loopback interface and the address “192.168.0.252”, as well as the specification that it is a Class C network). The second line binds the server to the previously specified interfaces.Additionally, hosts can be explicitly allowed and blocked:

hosts allow  = localhost 192.168.0.
hosts deny  = 192.168.0.2

Further settings and detailed examples can also be found in the Samba openbook, Sect. 4.6 (oreilly.com).

user access

  • Add an smb user

An smb user must always be a valid user on the server system. In other words, in order to be able to create an smb user, a normal user must first be created. If the user does not have access to the system, but can only use Samba, a user can be created without a password and login shell:

sudo useradd -s / bin / false smbaccess

Here no password is assigned (the user can not log in) and the login shell is “/ bin / false”. The user does not have a home directory. Despite everything, an smb password can be assigned:

sudo smbpasswd -a smbaccess

Then the user can use “smbaccess” shares shared with him. To delete the user can

smbpasswd -x smbaccess

be used.

  • Deactivation of guest user accounts

By using the guest account, those users who have not authenticated can access the server. Normally, Samba will go back to the user “nobody” without setting and offers several settings that can be made. If the guest account is to be deactivated completely, the following must be set (smb.conf, section [global]):

map to guest  = never

A failed login attempt with a nonexistent Samba user can also be “mapped” to a guest account. The following lines are used:

map to guest  = Bad User
guest account  = nobody

By means of “Bad User”, login attempts without a valid Samba user are automatically assigned to the Guest account. The parameter “guest account” indicates the account that is used for it. In the sections that are to be accessible to the guests, then the parameter for the guest account access is inserted:

guest ok  = yes

Likewise, of course, ” guest ok = no ” can be used. The settings defined in the [global] section then apply to this section.

  • writes

Write accesses or read-only access can be achieved by the following parameters:

read  only  = yes

For write accesses can

writable  = yes

be used. Finally, a coherent example that restricts access to a directory to the user “tktest”:

[ shares ] 
 valid users  = tktest
  path  = / home / tktest / shares
  read  only  = yes
 guest ok  = no

The line

browsable  = no

also prevents the share from being listed when browsing the network shares.

file system

Special consideration for the integration of Windows and Linux clients is the handling of file rights. The files created under Windows must be assigned according to the Linux users and their associated rights. For this purpose, there are some parameters in smb.conf for configuring the rights when creating files:

create mask  = 0644
directory mask  = 0755

These two lines specify the rights that files and folders receive when they are created on the share. The numerical values are similar to the octal values used in the “chmod” command. These default rights can be used to ensure that the files and folders receive the rights they want to create.

For restricting a share to individual groups can

valid users  = @smbusers

be used. Now only more members of the group “smbusers” can access the share.

It is important that ultimately always the appropriate Linux file permissions on the server come into play. This means that a corresponding configuration of the user rights directly on the server is certainly the best security measure, since the file permissions can not be bypassed by a Samba configuration.

User defined shares

Since version 3.0.23 there is the possibility for users to add, change and delete their own shares (even for those without root privileges). This possibility of “Usershares” can be activated in the smb.conf in the global sector. The shares are not configured in the smb.conf, but under “/ var / lib / samba / usershares”. All users of the “sambashare” group can create, delete and modify shares without root privileges.

In the global sector of smb.conf the parameters of the usershares are set:

usershare max shares  = 5
usershare allow guests  = no

through

net usershare add test_share / home / tktest / test_share / "Usershare" tktest: f

For example, the user “tktest” can create his own share without “sudo” (root rights). The parameter “tktest: f” specifies that the user “tktest” gets full access to the share. To get information about a share, just use the following command:

net usershare info test
Categories: Tutorials

0 Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

Tutorials

How to Deploy ArgoCD on Kubernetes

Let’s get started with deploying ArgoCD on Kubernetes. With the rise of containerization and orchestration technologies, Kubernetes has become the de facto standard for container management. When it comes to Continuous Deployment (CD) in Kubernetes Read more…

Tutorials

How to Convert Images to Text in Ubuntu

In this detailed article, we will guide you step by step on how to convert images to text. Ubuntu, the beloved open-source operating system, is revered by developers, tech enthusiasts, and everyday users for its Read more…

Tutorials

How to Install PrestaShop on CentOS 7

PrestaShop is a widely used, open-source e-commerce platform. With its flexibility, scalability, and rich feature set, it has been adopted by many online retailers around the world. For those using the CentOS 7 operating system, Read more…