Security

How to manage user security in Samba

When securing your Samba shares, start by locking down user and group security. Follow this tutorial to learn how.

securityistock000053145566bluebay2014.jpg
Image: iStock

Samba is a critical component to mixed-platform networks. If you have any intention of allowing Linux, Mac, and Windows seamlessly communicate with one another, chances are you've considered this open source service. If that's the case, you've probably also seriously considered user security. After all, you open up a Samba share without a nod to user security, and you run the risk of users gaining access to data they shouldn't.

So, where do you begin? How do you lock down your Samba shares? It all begins with users.

I'll walk you through some security best practices with regards to users and Samba. Once you put these into play (as/if needed), your Samba server will enjoy a new level of security.

SEE: Interview with a hacker: S1ege from Ghost Squad Hackers

Security by user or group

When you create a Samba share, you can do so for individual users or groups—this is a great way to lock down a particular share to a specific user or a group. How do you do this? Simple. Say you have a folder on a server that needs to be seen only by Olivia. Within the smb.conf configuration file, that share might look like:

[Olivia]
​   path = /data/olivia
​   read only = no
​   writeable = yes
​   browseable = yes
​   valid users = Olivia
​   create mask = 0640
​   directory mask = 0750
   force user = Olivia

You would have to make sure that (in this case) the user Olivia has permission to access the /data/olivia folder. This can be done with a command such as:

chown -R Olivia.Olivia /data/olivia

The valid users option informs Samba what users to limit the share to, and the force user option ensures all files are written as that user only. You can set multiple users for this, like so:

valid users = Olivia, Nathan, Bethany, Jamal

What if, however, you have a group called editorial, and you want to share the directory /data/editorial to that group? A share for that group would look like this:

[Editorial]
​   path = /data/editorial
​   read only = no
​   writeable = yes
​   browseable = yes
​   valid users = @editorial
​   create mask = 0660 
​   directory mask = 0770

The crucial bit is the @ character, which tells Samba that editorial is a group and not a user. With groups, you have to ensure that all members have been added to the group with a command like this:

usermod -a -G GROUPNAME USERNAME

GROUPNAME is the name of the group, and USERNAME is the name of the user to be added.

Controlling access to shares

You'll want to ensure particular users cannot access any Samba share on your server; those users are root, bin, daemon, adm, sync, shutdown, halt, mail, news, uucp, or operator. We block their access in the [global] define like so:

invalid users = root bin daemon adm sync shutdown halt mail news uucp operator

To block specific groups in the [global] definition, the invalid groups option must be used like so:

invalid groups = root sudo

Notice root is added as both a user and a group; this could prevent anyone added to the root group (which would have heightened permissions) from gaining access to the share.

Setting Samba passwords

One of the most commonly overlooked steps in setting up Samba is adding passwords for users. If you do not set Samba user passwords, users will not be able to access their shares. The command for adding a user Samba password is (USER is the actual user name):

smbpasswd -a USER

Now the user will be able to access their Samba share using their newly created Samba user password.

Samba security made easy

Once you understand how best to work with Samba and user/groups, the security aspect is significantly easier. There is quite a bit more you can do to lock down your shares, but taking the steps above will get you off and running toward that coveted land of best practices.

Also see

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox