When securing your Samba shares, start by locking down user and group security. Follow this tutorial to learn how.
Samba is a critical component to mixed-platform networks. If you have any intention of allowing Linux, Mac, and Windows seamlessly communicate with one another, chances are you've considered this open source service. If that's the case, you've probably also seriously considered user security. After all, you open up a Samba share without a nod to user security, and you run the risk of users gaining access to data they shouldn't.
So, where do you begin? How do you lock down your Samba shares? It all begins with users.
I'll walk you through some security best practices with regards to users and Samba. Once you put these into play (as/if needed), your Samba server will enjoy a new level of security.
Security by user or group
When you create a Samba share, you can do so for individual users or groups--this is a great way to lock down a particular share to a specific user or a group. How do you do this? Simple. Say you have a folder on a server that needs to be seen only by Olivia. Within the smb.conf configuration file, that share might look like:
[Olivia] path = /data/olivia read only = no writeable = yes browseable = yes valid users = Olivia create mask = 0640 directory mask = 0750 force user = Olivia
You would have to make sure that (in this case) the user Olivia has permission to access the /data/olivia folder. This can be done with a command such as:
chown -R Olivia.Olivia /data/olivia
The valid users option informs Samba what users to limit the share to, and the force user option ensures all files are written as that user only. You can set multiple users for this, like so:
valid users = Olivia, Nathan, Bethany, Jamal
What if, however, you have a group called editorial, and you want to share the directory /data/editorial to that group? A share for that group would look like this:
[Editorial] path = /data/editorial read only = no writeable = yes browseable = yes valid users = @editorial create mask = 0660 directory mask = 0770
The crucial bit is the @ character, which tells Samba that editorial is a group and not a user. With groups, you have to ensure that all members have been added to the group with a command like this:
usermod -a -G GROUPNAME USERNAME
GROUPNAME is the name of the group, and USERNAME is the name of the user to be added.
Controlling access to shares
You'll want to ensure particular users cannot access any Samba share on your server; those users are root, bin, daemon, adm, sync, shutdown, halt, mail, news, uucp, or operator. We block their access in the [global] define like so:
invalid users = root bin daemon adm sync shutdown halt mail news uucp operator
To block specific groups in the [global] definition, the invalid groups option must be used like so:
invalid groups = root sudo
Notice root is added as both a user and a group; this could prevent anyone added to the root group (which would have heightened permissions) from gaining access to the share.
Setting Samba passwords
One of the most commonly overlooked steps in setting up Samba is adding passwords for users. If you do not set Samba user passwords, users will not be able to access their shares. The command for adding a user Samba password is (USER is the actual user name):
smbpasswd -a USER
Now the user will be able to access their Samba share using their newly created Samba user password.
Samba security made easy
Once you understand how best to work with Samba and user/groups, the security aspect is significantly easier. There is quite a bit more you can do to lock down your shares, but taking the steps above will get you off and running toward that coveted land of best practices.
- How to deploy a Samba domain controller in under 10 minutes (TechRepublic)
- How to set up quick and easy file sharing with Samba (TechRepublic)
- How to add users to shares with the TurnKey Linux FileServer appliance (TechRepublic)
- How to force users to create secure passwords on Linux (TechRepublic)
- How to defend against the internet's doomsday of DDoS attacks (ZDNet)
- Security awareness and training policy (Tech Pro Research)