Samba can be overwhelming. Especially since unless you use the help of tools like SWAT, you basically are staring at a huge and complicated looking smb.conf in /etc/samba. I’ve been messing with Samba for many years, and I still learn a bunch every time I mess with it. I was talking to an IRC friend earlier and Samba came up as he wanted to make his shares useable to Windows, readable to everyone, but writable only to logged in users. In the past, because of my poor understanding of Samba, I always got frustrated and just made it completely open and writable by the world. To accomplish this, I even had to make the entire folder structure open to everyone, by setting the permissions to 777 (readable, writable, and executable by EVERYONE!). After our conversation I figured now is as good as any time to learn how to implement at least a little bit of security, as what he wanted to do makes complete and total sense. So after doing some Google-ing, I figured it out!
First, some prerequisites:
- I recommend setting all of your sub directories to be mapped to a user and group of a non-privileged user and a user that is not a human. In my case, I ran chmod to my entire file server (a little bit over 1TB of bad permissions worth) so that everything is owned by the user ftp, and the group ftp. I will show the command later.
- Every user you want to have write access to the folders must be a member of the same group that you set the file permissions to. I use the group “ftp” to accomplish this. All the files however, do not have to be owned by the user “ftp”.
- I decided to have one directory that is still available to everyone for writing called “Inbox”. That way I can open it up via sftp or what have you for any convenience reasons.
- Understand Windows behavior. If you map a drive as a user, even if you disconnect, Windows will still authenticate as that user even without re-mapping the drive. I am still trying to figure out how to remove those cached credentials. In the mean time, for testing I used a second “virgin” Windows machine, one that has never logged in as a Samba user so I can make sure my one public folder is writable and test different configurations.
- When logging into the share with Windows (e.x. mapped drive), use: serverhostname\username and then the password as normal.
- I strongly recommend making a backup copy of the current smb.conf. You never know. I have been beating that habit into my head when it comes to configuration files. Always back it up! I will also show that later.
- I completely removed printer sharing from the Samba config. I personally never will share a printer from my file server for various reasons. If you do want to share a printer, don’t forget to leave the printer shares in.
The following instructions are based on sudo usage of Debian type machines (my server is Ubuntu Server 14.04). You may not need sudo. I also use vim which is just an enhanced version of vi. Any editor will do of course. Your mileage will vary, so take the following as a guide, and not as “type these in exactly”, unless you happen to have your server setup exactly the same as mine, which would be weird.
The following also assumes /mnt/data is where all of my files that I serve are. This is actually a mount point to a RAID array. Inside of that, I have a folder called Inbox.
Part 1: Setting up Users, Groups, and the File System
The first bit will be users. Following my case, I did the following to set everything to owner and group to “ftp”. Now, you may not have either, which just means you will need to create the user and group first. Of course, it doesn’t matter what you name it. The ftp user/group is usually created upon installation of an FTP server, so I just use that.
To create ftp user and group (if you don’t already have it, cat /etc/passwd will show you all of the users):
sudo adduser --home /mnt/data --no-create-home --disabled-login -shell /bin/false ftp
Note: You will need to change /mnt/data (that’s just my file serving location). Login is disabled with this command though, so it won’t matter too much.
To set the permissions and ownership correctly (if you have existing files), I ran the following:
sudo chmod -R 775 /mnt/data
sudo chown -R ftp:ftp /mnt/data
Note: I always use full paths with cmod and chown if I am changing more than one object, even if I am already in the folder, because these commands are so powerful. You can easily damage beyond economic repair your entire system with these. Always use extreme caution! My personal rule is “If I use -R, I use full path”.
Setting 775 and running chown on everything allows read, write, and execute by the user ftp, and anyone in the group ftp. It only allows read and execute access to everyone else. This allows the anonymous user to read and execute, but not modify for security. Samba will be set similarly, but having it set correctly file system wise will make it secure against any Samba mis-configurations or other attacks.
Now, there if you have a lost+found folder in your path, you will need to fix it so that root owns it again, and permissions are back to normal:
sudo chown -R root:root /mnt/data/lost+found
sudo chmod -R 700 /mnt/data/lost+found
Now, one thing to keep in mind, as my point #2 above stated, every user you want to have write access to these folders and files must be a member of the group you just put on them. Simply run (usermod -G group user):
usermod -G ftp JoeAverageUser
The user will now have modification rights on any folder that has the ftp group on it, with write permissions set for groups (e.x. 775).
Part 2: Setting Up Samba
Setting up the configuration of course depends entirely on what you want to do exactly. For instance, I want to be able to share everything in /mnt/data for public read and execute. I also want a place for any guest or anonymous user to place new files for me to sort through later. I called this location /mnt/data/Inbox. On top of that, I want logged in users to be able to read and write /mnt/data. This way I can mount a drive as another user in Windows and modify, delete, and change things at will. I personally took the default Samba config file, made a backup copy of it, and almost wiped it clean. Sure the comments are really useful, but reading a file with a million comments is more of a pain than just searching Google for what I really need.
Make a backup!
cp smb.conf smb.orig
Now, here is what mine looks like as it might be easier to understand it after seeing it all in one place. Some key entries will be explained below:
workgroup = WORKGROUP
server string = %h server (Samba, Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
Starting from the top, these are what I feel to be the most important options to understand, and also deviate from default:
security=share – This allows Samba to use local Linux system users to control file/folder access. There other available levels of course, mostly dealing with external means of authentication.
usershare allow guests=yes – This allows non-authenticated users access to the shares defined.
Note: Everything in between is default from the original configuration file. The directives mostly handle authenticating users and logging.
[data] – The first share I define. This is the name of the folder that appears to clients.
path=/mnt/data – The path to the files for this share. Since I try to keep things simple, this is the path to everything.
available=yes – Makes this available to clients. For example, if you want to temporarily make the share unavailable, you can change it to no and keep the configuration in place.
read only=yes – Makes the share read only to everyone, except anyone in the write list, seen below.
browsable=yes – Announces the share in browse lists. This is especially important for Windows.
guest ok=yes – Allows guests to see folders and files inside the share.
guest account=nobody – Maps the guest account to “nobody”. This way guests can’t impersonate a user.
write list=@ftp – A comma separated list of users that are allowed to write to files and folders in the share. Using the @ symbol, you can specify entire groups.
create mask=0775 – The file creation permissions. This does the same as discussed in part 1 above. Change this to match how you control permissions on your file share. This is what gets applied when a logged in user creates a new file. 775 gives permission to read, write, and delete to the user and group, but not everyone.
directory mask=0775 – Same as create mask for files, but for directories.
hide unreadable=yes – I use this specifically to hide the lost+found folder, however it is also useful to hide directories that the logged in user has no access to (not even read). This can be useful for user directory lists too.
force group=ftp – Forces new files/folders to belong to the group ftp which keeps the files available as originally designed. If you omit this option, new files and folders will only be available to the primary group of the user who wrote them.
[inbox] – This is the “public” guest writable share I have defined.
There are only 4 differences from the above entry. Both “write list” and “hide unreadable” are not present. The following directives are modified:
path=/mnt/data/Inbox – The path to the share that will be available for writing to guest.
read only=no – Opens the share to be writable from anyone, including guests..
The Inbox works for guest because using the “force group=ftp” directive allows new files and folders to be created under that group, but as the “nobody” user. This is akin to running “chmod nobody:ftp” after adding the object. Because my Inbox folder is a sub folder of the data share, there is one idiosyncrasy to keep in mind with this setup. If a guest goes to \\server\inbox, they will be able to write and modify, however, if they go through \\server\data\Inbox, they will not be able to modify even though it’s really the same folder. This is because the data share itself is locked down to guests. If this is bothersome, just make sure it is not a sub folder of another further locked down share.
After editing, remember to restart the service:
sudo service smbd restart
A great quick reference source for configuration options can be found here: http://www.oreilly.com/openbook/samba/book/appc_01.html. Otherwise, don’t forget to check out https://www.samba.org/ and https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/. And remember, just have fun and play around with all of the options to see what the results are. The best way to learn is to do.