Securizar un servidor de fichièrs e d'estampatge Samba

Perfils de seguretat de Samba

Los dos nivèls de seguretat disponibles pel protocòl de ret CIFS (Common Internet Filesystem) son user-level e share-level. La mesa en òbra de las opcions de seguretat de Samba permet mai de flexibilitat en provesissent quatre possibilitat de seguretat al nivèl de l'utilizaire mai una al nivèl del partiment :

  • security = user: impausa als clients de provesir un nom d'utilizaire e un senhal per se connectar als partiments. Los comptes d'utilizaires Samba son diferents dels comptes de sistèma, mas lo paquet libpam-smbpass permet de sincronizar los utilizaires e senhal del sistèma amb la banca de donadas dels utilizaires Samba.

  • security = domain: this mode allows the Samba server to appear to Windows clients as a Primary Domain Controller (PDC), Backup Domain Controller (BDC), or a Domain Member Server (DMS). See the section called “Samba coma contrarotlador de domeni” for further information.

  • security = ADS: allows the Samba server to join an Active Directory domain as a native member. See the section called “Integracion de Samba a l'Active Directory.” for details.

  • security = server: this mode is left over from before Samba could become a member server, and, due to some security issues, should not be used. See the Server Security section of the Samba guide for more details.

  • security = share: allows clients to connect to shares without supplying a username and password.

The preferred security mode depends on the environment and what the Samba server needs to accomplish.

Security = User

This section will reconfigure the Samba file and print server, from the section called “Servidor de fichièrs Samba” and the Print Server, to require authentication.

First, install the libpam-smbpass package which will sync the system users to the Samba user database:

sudo apt-get install libpam-smbpass

Note

If the Samba Server task was chosen during installation, libpam-smbpass is already installed.

Modificatz la seccion [share] del fichièr /etc/samba/smb.conf :

guest ok = no

Per acabar, reaviatz Samba per que los paramètres novèls sián preses en compte :

sudo /etc/init.d/samba restart

Now when connecting to the shared directories or printers, there will be a prompt for a username and password.

Note

To map a network drive to the share, “Reconnect at Logon” should be checked, which will require the username and password to be entered just once, at least until the password changes.

Seguretat dels Partiments

There are several options available to increase the security for each individual shared directory. Using the [share] example, this section will cover some common options.

Gropes

Groups define a collection of computers or users which have a common level of access to particular network resources and offer a level of granularity in controlling access to such resources. For example, if a group qa is defined and contains the users freda, danika, and rob and a second group support is defined and consists of users danika, jeremy, and vincent, then certain network resources configured to allow access by the qa group will subsequently enable access by freda, danika, and rob, but not jeremy or vincent. Since the user danika belongs to both the qa and support groups, she will be able to access resources configured for access by both groups, whereas all other users will have only access to resources explicitly allowing the group they are part of.

By default Samba looks for the local system groups defined in /etc/group to determine which users belong to which groups. For more information on adding and removing users from groups see Basics.

When defining groups in the Samba configuration file, /etc/samba/smb.conf, the recognized syntax is to preface the group name with an "@" symbol. For example, to define a group named sysadmin in a certain section of the /etc/samba/smb.conf, the group name would be entered as @sysadmin.

Dreches d'accès als fichièrs

File Permissions define the explicit rights a computer or user has to a particular directory, file, or set of files. Such permissions may be defined by editing the /etc/samba/smb.conf file and specifying the explicit permissions of a defined file share.

For example, for a defined Samba share called share and the need to give read-only permissions to the group of users known as qa, while allowing write permissions to the share by the group called sysadmin and the user named vincent, then the /etc/samba/smb.conf file could be edited to add the following entries under the [share] entry:

read list = @qa
write list = @sysadmin, vincent

Another possible Samba permission is to declare administrative permissions to a particular shared resource. Users having administrative permissions may read, write, or modify any information contained in the resource where the user has been given explicit administrative permissions.

For example, to give the user melissa administrative permissions to the share example, the /etc/samba/smb.conf file would be edited to add the following line under the [share] entry:

admin users = melissa

After editing /etc/samba/smb.conf, restart Samba for the changes to take effect:

sudo /etc/init.d/samba restart

Note

For the read list and write list to work the Samba security mode must not be set to security = share

Now that Samba has been configured to limit which groups have access to the shared directory, the filesystem permissions need to be updated.

Traditional Linux file permissions do not map well to Windows NT Access Control Lists (ACLs). Fortunately POSIX ACLs are available on Kubuntu servers providing more fine grained control. For example, to enable ACLs on /srv an EXT3 filesystem, edit /etc/fstab adding the acl option:

UUID=66bcdd2e-8861-4fb0-b7e4-e61c569fe17d /srv  ext3    noatime,relatime,acl 0 
    1

Puèi remontatz la particion :

sudo mount -v -o remount /srv

Note

The above example assumes /srv on a separate partition. If /srv, or wherever the share path is configured, is part of the / partition, a reboot may be required.

To match the Samba configuration above, the sysadmin group will be given read, write, and execute permissions to /srv/samba/share, the qa group will be given read and execute permissions, and the files will be owned by the username melissa. Enter the following in a terminal:

sudo chown -R melissa /srv/samba/share/
sudo chgrp -R sysadmin /srv/samba/share/
sudo setfacl -R -m g:qa:rx /srv/samba/share/

Note

The setfacl command above gives execute permissions to all files in the /srv/samba/share directory, which may or may not be desirable.

A Windows client will show that the new file permissions are implemented. See the acl and setfacl man pages for more information on POSIX ACLs.

Perfil AppArmor per Samba

Kubuntu comes with the AppArmor security module, which provides mandatory access controls. The default AppArmor profile for Samba will need to be adapted to the proper configuration. For more details on using AppArmor, please refer to the wiki

There are default AppArmor profiles for /usr/sbin/smbd and /usr/sbin/nmbd, the Samba daemon binaries, as part of the apparmor-profiles packages. To install the package, from a terminal prompt, enter:

sudo apt-get install apparmor-profiles

Note

This package contains profiles for several other binaries.

By default the profiles for smbd and nmbd are in complain mode, allowing Samba to work without modifying the profile, and only logging errors. To place the smbd profile into enforce mode, and have Samba work as expected, the profile will need to be modified to reflect any directories that are shared.

Edit /etc/apparmor.d/usr.sbin.smbd, adding information for [share] from the file server example:

/srv/samba/share/ r,
/srv/samba/share/** rwkix,

Now place the profile into enforce and reload it:

sudo aa-enforce /usr/sbin/smbd
cat /etc/apparmor.d/usr.sbin.smbd | sudo apparmor_parser -r

It is now possible to read, write, and execute files in the shared directory as normal, and the smbd binary will have access to only the configured files and directories. Be sure to add entries for each directory that Samba is configured to share. Any errors will be logged to /var/log/syslog.

Ressorsas