LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-21-2015, 10:44 AM   #1
MrScoville
LQ Newbie
 
Registered: Dec 2015
Posts: 10

Rep: Reputation: Disabled
Smile Samba newbie... Anyone got the time to take a look at my config?


Quite frankly I'm not only a freshman when it comes to samba, but I'm not that interested in getting an expert. Because the only reason I'm using it it lazyness. I could set up an FTP server or whatnot on my Raspberry to accomplish the same goals which are, essentially, just a few pushes and shoves of files and folders and tarballs every other day.

The only share that is involved is a folder named "/transfer" which is (a) a discrete partition (although mounted at boot time) and (b) owned by "root", group'ed to "sambausers", and set to 0770.

The group "sambausers" is in no case a user's primary group, but they become explicitly added to the group per use-case. Members of the group "sambausers" are assigned "/bin/nologin" as their shell so they cannot login to the Raspberry locally or remotely via ssh. Users of the group "sambausers" will only belong to this group and their personal group (user "foo" -> group "foo").

My /etc/samba/smb.conf looks like this:

Code:
[global]
   workgroup = smb
   wins support = no
   dns proxy = no
   server role = standalone server

   # eth0 is the standard Cat5 wired ethernet port
   interfaces = eth0
   bind interfaces only = yes

   security = user
   usershare allow guests = no

   panic action = /usr/share/samba/panic-action %d
   log file = /var/log/samba/log.%m
   max log size = 10000
   syslog = 0

[transfer]
   path = /transfer
   public = no
   writeable = no
   write list = @sambausers
   printable = no
   guest ok = no
   create mask = 0770
   directory mask = 0770
"eth0" has been configured to be a static a.b.c.d/24 interface in "/etc/network/interfaces".

To make things short: Is this config for a device that "lives at home" most of the time sufficient? Anything weird? Unneeded? Missing?

Thanks in advance for any hints etc.,

AND HAVE A MERRY CHRISTMAS EVERYONE! *<:-{)}
 
Old 12-22-2015, 07:27 AM   #2
rtmistler
Moderator
 
Registered: Mar 2011
Location: MA, USA
Distribution: MINT Debian, Angstrom, SUSE, Ubuntu, Debian
Posts: 7,214
Blog Entries: 12

Rep: Reputation: 2656Reputation: 2656Reputation: 2656Reputation: 2656Reputation: 2656Reputation: 2656Reputation: 2656Reputation: 2656Reputation: 2656Reputation: 2656Reputation: 2656
Does it work for you?
 
Old 12-22-2015, 10:56 AM   #3
MrScoville
LQ Newbie
 
Registered: Dec 2015
Posts: 10

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by rtmistler View Post
Does it work for you?
Yes, it does, but that doesn't answer my question. As I said, I am a newbie to Samba stuff, and I wouldn't like my toy to be vulnerable because of my ignorance... I don't need a rock-solid masterpiece of marble, just want it not to appear as the open gate of a castle to some script kiddies from China

Nevertheless, have a merry xmas!
 
Old 12-22-2015, 12:09 PM   #4
rtmistler
Moderator
 
Registered: Mar 2011
Location: MA, USA
Distribution: MINT Debian, Angstrom, SUSE, Ubuntu, Debian
Posts: 7,214
Blog Entries: 12

Rep: Reputation: 2656Reputation: 2656Reputation: 2656Reputation: 2656Reputation: 2656Reputation: 2656Reputation: 2656Reputation: 2656Reputation: 2656Reputation: 2656Reputation: 2656
You say it's on a private Ethernet interface?

If so, the solution is not in SAMBA configuration but configuration your system where it will not allow traffic from the public Ethernet to get to your private Ethernet. Also because you've already limited SAMBA to that wired Ethernet, it will then not be available to the public one ... I'm assuming WIFI?
 
Old 12-22-2015, 12:46 PM   #5
MrScoville
LQ Newbie
 
Registered: Dec 2015
Posts: 10

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by rtmistler View Post
You say it's on a private Ethernet interface?

If so, the solution is not in SAMBA configuration but configuration your system where it will not allow traffic from the public Ethernet to get to your private Ethernet. Also because you've already limited SAMBA to that wired Ethernet, it will then not be available to the public one ... I'm assuming WIFI?
Well, most of the time it will be wired Ethernet, exactly. But the toy has been equipped with a WiFi stick, and a GSM/GPRS hat. Both are not yet configured to be up, but they will eventually. As long as the Pi is "at home", it will be connected to my local network which actually consists of my notebook, a hub, and the Pi.

The thing is, "my Pi" is going to move to wherever I go, and perhaps even further. And I want to teach it to connect to whatever available internet access point if in need. Like it was urgently wanting to learn and communicate. Let's call it a slightly different approach to "Tell, don't ask".

But anyhow, the question remains: Does my config look secure to you experts?

Last edited by MrScoville; 12-22-2015 at 12:47 PM.
 
Old 12-22-2015, 01:46 PM   #6
rtmistler
Moderator
 
Registered: Mar 2011
Location: MA, USA
Distribution: MINT Debian, Angstrom, SUSE, Ubuntu, Debian
Posts: 7,214
Blog Entries: 12

Rep: Reputation: 2656Reputation: 2656Reputation: 2656Reputation: 2656Reputation: 2656Reputation: 2656Reputation: 2656Reputation: 2656Reputation: 2656Reputation: 2656Reputation: 2656
Once again I feel the security of that interface is better handled at configuring that interface and not merely the Samba protocol. I see no problem with the Samba configuration. You've limited the users and the network interface that it gets used on.
 
  


Reply

Tags
samba


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Files on samba share getting nobody rather than forced user from samba config rjo98 Linux - Server 7 03-25-2014 03:17 AM
Newbie: Samba under Ubuntu - default config locations don't match samba.org mdutch Ubuntu 0 08-28-2009 03:38 PM
Webmin cannot handle Samba config files that use the config or include directives allelopath Linux - Networking 3 01-18-2005 10:36 AM
config samba for Newbie like me lukalinuix Linux - Networking 8 06-23-2004 03:33 AM
possible samba config problem or network config issue? rruffin Linux - Networking 3 06-03-2003 05:04 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration