Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi, all.
I want to configure as following:
# umask 077
# mkdir /home/abc
# mkdir /home/abc/Nu
# chown admin.admin Nu
# useradd admin, fa1
# smbpasswd -a admin
# smbpasswd -a fa1 share folder abc:
[abc]
path = /home/abc
public = no
valid users = admin, fa1
writable = yes
browseable = no
guest ok = yes configure acl:
# setfacl -m u:fa1:rw- Nu/
# setfacl -d -m u:fa1:rw- Nu/
# ll
drwxrwx---+ 4 admin admin 4096 Feb 26 09:38 Nu
# getfacl Nu/
# file: Nu/
# owner: admin
# group: admin
user::rwx
user:fa1:rw-
group::rwx
mask::rwx
other::---
default:user::rwx
default:user:fa1:rw-
default:group::rwx
default:mask::rwx
defaultther::---
=> after configure. from PC Windows 8, I access share samba ok, but I can not access to folder Nu. (I want to configure folder Nu with user admin full control permission, user fa1 modified permission)
In real world try to avoid file permission acls as they are painful when it comes to troubleshooting.
Hi, T3RM1NVT0R
Thank you very much for your reply.
But I have got a disturbed with this. If we set rwx, this permission is same with Full Control on Windows,
So If user from Windows and map to share folder (abc) with user having rwx permission, this user can "Change permissions" and "Take ownershift"
On CentOS, could we set acl but remove two above options ?
What you are talking about is mapping Linux Samba share on window and you are worried about if they will map the share they will be able to change the ownership. Is that correct?
If that is the case then the answer is no because ultimately the permission will be governed by the OS from where the share is mapped which is Linux in this case. Linux keep permission and ownership separate. Only the user who is the owner of that directory or root can change the ownership of that directory.
What you are talking about is mapping Linux Samba share on window and you are worried about if they will map the share they will be able to change the ownership. Is that correct?
If that is the case then the answer is no because ultimately the permission will be governed by the OS from where the share is mapped which is Linux in this case. Linux keep permission and ownership separate. Only the user who is the owner of that directory or root can change the ownership of that directory.
What you are talking about is mapping Linux Samba share on window and you are worried about if they will map the share they will be able to change the ownership. Is that correct? ==> Yes, I am worried about this.
If that is the case then the answer is no because ultimately the permission will be governed by the OS from where the share is mapped which is Linux in this case. Linux keep permission and ownership separate. Only the user who is the owner of that directory or root can change the ownership of that directory. ===> I configured owner for folder Nu/ with admin and acl for user fa1 with permission rwx, then from Windows I map to share folder abc/ with samba user fa1 I still changed permission right of folder Nu/, so after I changed from rwx to rw- then I am not able to access to folder Nu/.
Could you please review for me about this case ?.
As I mentioned before if you change the permission from rwx to rw you won't be able to access the directory as on Linux execute permissions are required to access the directory.
Give me the details on the users you have configured for this, current permissions, current acl listing, ownership details and I will have a look at that.
What you are talking about is mapping Linux Samba share on window and you are worried about if they will map the share they will be able to change the ownership. Is that correct? ==> Yes, I am worried about this.
If that is the case then the answer is no because ultimately the permission will be governed by the OS from where the share is mapped which is Linux in this case. Linux keep permission and ownership separate. Only the user who is the owner of that directory or root can change the ownership of that directory. ===> I configured owner for folder Nu/ with admin and acl for user fa1 with permission rwx, then from Windows I map to share folder abc/ with samba user fa1 I still changed permission right of folder Nu/, so after I changed from rwx to rw- then I am not able to access to folder Nu/. I configured again, user fa1 with rwx can not changed permission from Windows after mapping, only owner (admin) just change permission as T3RM1NVT0R say. Now, I understand.
I am so sorry for my testing mistake
Thank you very much.
Could I ask more about Samba with audit log in this topic ?.
1. About ACLs: Could you please help me to determine permission of file after using default acls ?
I am worried about this permission, has got easy way to determine this permission ?
I post one configure I already searched
# mkdir public
# setfacl -R -m u::rwx,g:ftp:rwx,d:g:ftp:rwx,o::rx public/
# getfacl public
# file: public
# owner: root
# group: root
user::rwx
group::r-x
group:ftp:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::r-x
default:group:ftp:rwx
default:mask::rwx
defaultther::r-x
# echo hello, world > public/test.html
# ls -l public
total 4
-rw-rw-r--+ 1 root root 13 Aug 29 13:00 test.html
# getfacl public/test.html
# file: public/test.html
# owner: root
# group: root
user::rw-
group::r-x #effective:r--
group:ftp:rwx #effective:rw-
mask::rw-
other::r--
================
Why create folder public with permission 755, after using setfacl folder public change to 775 and file created in folder public changed 664 ?
2. About Samba audit:
I send my test configure (I searched on Internet)
With this configuration. All log will write to only one file.
Has any way to write log to many files on each shared folder or a group folders because log file has many lines, many informations when filter will be very difficult ?.
As I can see you are creating the files using root account, that wouldn't be the real test of ACL as when you are creating files using root account it will be based on the umask value which is by default for root is 002 which inturn means 775 for directories and 664 for files.
You can check the umask value by typing the command umask.
I am not sure about sending the different error, warnings from samba to different files. I have never tried that before but would try if I will get a chance.
As I can see you are creating the files using root account, that wouldn't be the real test of ACL as when you are creating files using root account it will be based on the umask value which is by default for root is 002 which inturn means 775 for directories and 664 for files.
You can check the umask value by typing the command umask. ==> If can, could you take a example about calculate permissions when using access ACL and default access ACL ?
I am not sure about sending the different error, warnings from samba to different files. I have never tried that before but would try if I will get a chance.
To my configure about samba audit above.
Log smbd information save to both file /var/log/samba/log.audit, file /var/log/boot.log and file /var/log/messages.
If save this, capacity of log file will be very large.
Has any way only save to file /var/log/samba/log.audit ?
After that, I searched Internet, I modified configuration of samba audit from local7 to local5 and
in file /etc/rsyslog.conf as this: *.info;mail.none;authpriv.none;cron.none;local5.none /var/log/messages
local7.*;local5.none /var/log/boot.log
then smbd log only save to file /var/log/samba/log.audit
but there is a problem issue this
file /var/log/messages save many informations about rsyslogd as this: rsyslogd-2177: imuxsock lost 541 messages from pid 3854 due to rate-limiting
rsyslogd-2177: imuxsock lost 558 messages from pid 1082 due to rate-limiting
rsyslogd-2177: imuxsock begins to drop messages from pid 1082 due to rate-limiting
rsyslogd-2177: imuxsock begins to drop messages from pid 3430 due to rate-limiting
I want file /var/log/messages only save informations about system and do not need save information about rsyslogd.
To my configure about samba audit above.
Log smbd information save to both file /var/log/samba/log.audit, file /var/log/boot.log and file /var/log/messages.
If save this, capacity of log file will be very large.
Has any way only save to file /var/log/samba/log.audit ?
After that, I searched Internet, I modified configuration of samba audit from local7 to local5 and
in file /etc/rsyslog.conf as this: *.info;mail.none;authpriv.none;cron.none;local5.none /var/log/messages
local7.*;local5.none /var/log/boot.log
then smbd log only save to file /var/log/samba/log.audit
but there is a problem issue this
file /var/log/messages save many informations about rsyslogd as this: rsyslogd-2177: imuxsock lost 541 messages from pid 3854 due to rate-limiting
rsyslogd-2177: imuxsock lost 558 messages from pid 1082 due to rate-limiting
rsyslogd-2177: imuxsock begins to drop messages from pid 1082 due to rate-limiting
rsyslogd-2177: imuxsock begins to drop messages from pid 3430 due to rate-limiting
I want file /var/log/messages only save informations about system and do not need save information about rsyslogd.
Could any one help to solve this problem ?.
Thank you very much.
After found more information, the cause of this log is rate-liniting.
I already disabled rate-limiting, this log was stopped.
add two lines into file /etc/rsyslogd.conf
$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 0
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.