LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-31-2007, 12:00 AM   #1
ElvisImprsntr
Member
 
Registered: Aug 2007
Location: Florida
Posts: 33

Rep: Reputation: 19
FSTAB windows and root only points?


BACKGROUND

I have a Linux system and a Windows system on the same net connected to a TeraStation Pro. The Linux system runs a cron.daily task to perform daily and weekly backups of the Linux and Windows system. I had it all working, until....

PROBLEM 1
I was required to turn off the Guest account on the windows machine, which now broke my mount point to the Windows shared C drive. Apparently to share the C drive, Windows must also enable the Guest account. I tried adding credentials to the Linux mount point in the FSTAB files, while it appears to successfully mount the Windows drive, but when I attempt to perform a LS command it echos "Permission Denied"

QUESTION 1
How can I mount the Windows C drive with valid credentials even if Windows won't play nice and let me backup protected paths?

PROBLEM 2
As mentioned, I have a cron.daily task that performs daily differential, and weekly/monthly full backups. Unfortunately, it also backs up the password files, audit logs, etc. which using the FSTAB mount point allows even non-root accounts to gain access to password files, one of which are the plain text credentials files I have the FSTAB pointing to mount the Windows machine and the TeraStation.

QUESTION 2
How to I make the mount point to the TeraStation root permission only to prevent non-root user from accessing backup files?

Any tips, tricks, or links would be greatly appreciated.

Thanks,

Elvis


UPDATE: Added lines from my FSTAB
//192.168.0.50/share /home/sedwr/terastation smbfs auto,lfs,user,rw,sync,credentials=/etc/samba/ts.cred 0 0
//192.168.0.6/c /home/sedwr/windows smbfs auto,lfs,user,ro,credentials=/etc/samba/win.cred 0 0

Last edited by ElvisImprsntr; 08-31-2007 at 12:46 AM.
 
Old 09-01-2007, 11:03 PM   #2
bigrigdriver
LQ Addict
 
Registered: Jul 2002
Location: East Centra Illinois, USA
Distribution: Debian stable
Posts: 5,877

Rep: Reputation: 350Reputation: 350Reputation: 350Reputation: 350
Problelm 2 Question 2

First a bit of theory. The mount point is a directory in the filesystem tree. Whether or not a partition is mounted to that mount point, the permissions on that directory control who may have access to it before and after the partition is mounted.

Therefore,

chown root:root /TereStation
sets user and group ownership to root.

chmod ug+rwx /TeraStation
sets read write execute permissions to user and group (root and root). In the case of a directory, execute permission means "allowed to cd into" that directory.

chmod o-rwx /TeraStation
removes read write execute permissions for all other users. They may not cd into that directory; they may not read files in that directory; and they may not write files to that directory.

Try this test. As root, create a directory, and put a simple text file in it. Run the commands as above for that directory. Then as normal user, try to cd into it, list the contents, read the file in it, or write to that directory. You shouldn't be able to do that except as root.
 
Old 09-04-2007, 04:21 PM   #3
ElvisImprsntr
Member
 
Registered: Aug 2007
Location: Florida
Posts: 33

Original Poster
Rep: Reputation: 19
bigrigdriver,

Thanks...

SOLUTION 2
Since I am auto-mounting during boot up, I think root actually perform the mounts. Thus, I think the mounts inherit the owner:group and permissions from root. I added a new BACKUPS share on the Terastation to eliminate commingling of user and backup files. I had to add the UID and GUI, which the permissions are inherited or assigned defaults, so I added FMASK and DMASK to remove permissions to prevent unauthorized users from even reading backup files that may contain passwords or audit logs. I also set NOUSER to eliminate the desktop icons to avoid the temptation of users to access the folders/files. I did this in addition to setting the mount point owner:group and permissions as you suggested. I am sure this is not optimal, but it seems to work for between the Linux systems and the Terastation.

# FSTAB
.
.
.
# terastation share
//192.168.0.50/share /home/sedwr/terastation smbfs auto,lfs,user,uid=sedwr,gid=controls,rw,sync,dmask=700,fmask=600,credentials=/etc/samba/ts.cred 0 0
# windows
//192.168.0.6/c$ /home/sedwr/windows smbfs auto,lfs,nouser,uid=root,gid=root,ro,dmask=700,fmask=600,credentials=/etc/samba/win.cred 0 0
# terastation backups
//192.168.0.50/backups /home/sedwr/backups smbfs auto,lfs,nouser,uid=root,gid=root,rw,sync,dmask=700,fmask=600,credentials=/etc/samba/bu.cred 0 0


BACK TO PROBLEM 1

I am still having trouble mounting the Windows C:/ drive. I have tried using user authentication, administration, re-enabling the Guest account, re-sharing the C drive, etc. Use the built in C$ vs. adding a new share name, etc. All I get is the following error message:

> mount /home/sedwr/windows/
10098: session setup failed: ERRDOS - ERRnoaccess (Access denied.)
SMB connection failed


QUESTION 1

Is there some setting on the Windows side that needs to be configured in addition to the Linux side? The error in the Windows Event Viewer is: EventID: 529 NT User: AUTHORIRY\SYSTEM Reason: Unknown user name or bad password, both of which I have double checked. Any hints/tips/tricks would be greatly appreciated.

Last edited by ElvisImprsntr; 09-04-2007 at 04:23 PM.
 
Old 09-04-2007, 06:17 PM   #4
ElvisImprsntr
Member
 
Registered: Aug 2007
Location: Florida
Posts: 33

Original Poster
Rep: Reputation: 19
bigrigdriver,

I figured it out, but I thought I would post my solution to PROBLEM 1/QUESTION 1

SOLUTION 1

On the Windows XP machine, open Settings -> Control Panels -> Administrative Tools -> Local Security Policy.
Open Security Settings -> Local Policies -> Security Options. Change the Network access: Sharing and security model for local accounts = Classic - local users authenticate as themselves.

Doing so will re-enable the Guest account until you set up access permissions for the drives/folders one wants to share to authenticated users. Right Mouse Click on the drive/folder -> Properties -> Sharing -> Permissions. Then remove Everyone entry and add Users ({yourcomputername}\Users). Once sharing permissions are set up you can go back and disable the Guest account using what ever mechanism you're most familiar with.


Then using the automount command in my FSTAB posted above with an appropriate credentials file will mount the Windows share with restrictive permissions that will prevent the standard user from access password files and security logs from the Linux side and protect my cron.daily backups on the Terastation


Again, many thanks.

Last edited by ElvisImprsntr; 09-05-2007 at 08:05 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Set up Windows network with multiple access points newuser455 General 8 02-02-2005 06:12 PM
moving mount points in fstab s_siouris Linux - General 1 01-27-2005 09:48 AM
I can't access my windows drive as a user, only as root...fstab problems? DiZASTiX Slackware 14 12-29-2004 09:54 PM
How do i access /etc/fstab as Root? Bomb187 Fedora 7 03-15-2004 03:05 PM
fstab, device names, mnt points, symlinks rickenbacherus Linux - Software 8 03-24-2003 07:06 AM


All times are GMT -5. The time now is 03:04 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration