Re: [CentOS] Samba vs. Firewall and/or SELinux
On Mon, Dec 31, 2012 at 6:41 PM, Mark LaPierre wrote: > On 12/31/2012 07:27 PM, Rob Townley wrote: > > On Fri, Dec 28, 2012 at 9:10 AM, Craig White > wrote: > > > >> > >> > >> I guess I'm not sure what the point is by having files owned by 'nobody' > >> and then adding nobody 'user' to the 'users' group - that seems to be > some > >> rather twisted logic that has security implications far beyond the > simple > >> samba share configuration but hey… it's your box. > >> > >> chirp users /data/public -R > >> chmod g+s /data/public -R > >> > >> will ensure that all files/folders in /data/public are owned by the > group > >> 'users' and any new files/folders created within (whether by samba or > not) > >> belong to that group. > >> > >> if you add 'inherit permissions = yes' to the 'share' definition in > >> smb.conf, that also will impact. > >> Yes, you could also add: > >> force security mode = 770 #or 775 > >> force directory security mode = 770 #or 775 > >> within the share definition too. > >> > > > > > > What is the chirp command and where is it found? > > "yum search all chirp" yielded nothing. > > I believe you will find that chirp was a fat finger for chgrp. > THANK YOU... i could not figure out the typo quickly. i wanted to make sure the complete and correct reference is there when i need it some time at 3am. > -- > _ > °v° >/(_)\ > ^ ^ Mark LaPierre > Registerd Linux user No #267004 > https://linuxcounter.net/ > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samba vs. Firewall and/or SELinux
On 12/31/2012 07:27 PM, Rob Townley wrote: > On Fri, Dec 28, 2012 at 9:10 AM, Craig White wrote: > >> >> >> I guess I'm not sure what the point is by having files owned by 'nobody' >> and then adding nobody 'user' to the 'users' group - that seems to be some >> rather twisted logic that has security implications far beyond the simple >> samba share configuration but hey… it's your box. >> >> chirp users /data/public -R >> chmod g+s /data/public -R >> >> will ensure that all files/folders in /data/public are owned by the group >> 'users' and any new files/folders created within (whether by samba or not) >> belong to that group. >> >> if you add 'inherit permissions = yes' to the 'share' definition in >> smb.conf, that also will impact. >> Yes, you could also add: >> force security mode = 770 #or 775 >> force directory security mode = 770 #or 775 >> within the share definition too. >> > > > What is the chirp command and where is it found? > "yum search all chirp" yielded nothing. I believe you will find that chirp was a fat finger for chgrp. -- _ °v° /(_)\ ^ ^ Mark LaPierre Registerd Linux user No #267004 https://linuxcounter.net/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samba vs. Firewall and/or SELinux
On Fri, Dec 28, 2012 at 9:10 AM, Craig White wrote: > > > I guess I'm not sure what the point is by having files owned by 'nobody' > and then adding nobody 'user' to the 'users' group - that seems to be some > rather twisted logic that has security implications far beyond the simple > samba share configuration but hey… it's your box. > > chirp users /data/public -R > chmod g+s /data/public -R > > will ensure that all files/folders in /data/public are owned by the group > 'users' and any new files/folders created within (whether by samba or not) > belong to that group. > > if you add 'inherit permissions = yes' to the 'share' definition in > smb.conf, that also will impact. > Yes, you could also add: > force security mode = 770 #or 775 > force directory security mode = 770 #or 775 > within the share definition too. > What is the chirp command and where is it found? "yum search all chirp" yielded nothing. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samba vs. Firewall and/or SELinux
You need to open the service in the firewall Type setup and go to the firewall and mark samba Then you will see all folders in the windows pc On Dec 28, 2012 10:11 AM, "Craig White" wrote: > > On Dec 28, 2012, at 5:13 AM, Ibrahim Yurtseven wrote: > > > Daniel J Walsh wrote: > >> Not a great idea since every user will be allowed to read/write/execute > in > >> this directory. > > I ran chown with root:users for data public in recursive mode and added > > nobody to the group users, but via samba created files will own by > > nobody:nobody instead of nobody:users, so it is not allowed for my > > local user to write and read the files added via samba. So I decided to > > access rwx to all. what is the trick in the smb.conf that the files > > will owned by the group "users"? I'm working with the parameter "create > > mask = 777". I would rather work with 770 and the files should be owned > > by the user "nobody" and the group "users". > > I guess I'm not sure what the point is by having files owned by 'nobody' > and then adding nobody 'user' to the 'users' group - that seems to be some > rather twisted logic that has security implications far beyond the simple > samba share configuration but hey… it's your box. > > chirp users /data/public -R > chmod g+s /data/public -R > > will ensure that all files/folders in /data/public are owned by the group > 'users' and any new files/folders created within (whether by samba or not) > belong to that group. > > if you add 'inherit permissions = yes' to the 'share' definition in > smb.conf, that also will impact. > Yes, you could also add: > force security mode = 770 #or 775 > force directory security mode = 770 #or 775 > within the share definition too. > > >> I would just check if it works in permissive mode then we can blame > this on > >> SELinux, if not, then it is not SELinux problem. > > Works on permissive mode with activated firewall, but i changed > > "security=share" to "security=user" in the smb.conf as well. So the > > access to the samba-share works now on enforcing mode, too. > > in my opinion, security=user is always the better solution. > > Craig > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samba vs. Firewall and/or SELinux
On Dec 28, 2012, at 5:13 AM, Ibrahim Yurtseven wrote: > Daniel J Walsh wrote: >> Not a great idea since every user will be allowed to read/write/execute in >> this directory. > I ran chown with root:users for data public in recursive mode and added > nobody to the group users, but via samba created files will own by > nobody:nobody instead of nobody:users, so it is not allowed for my > local user to write and read the files added via samba. So I decided to > access rwx to all. what is the trick in the smb.conf that the files > will owned by the group "users"? I'm working with the parameter "create > mask = 777". I would rather work with 770 and the files should be owned > by the user "nobody" and the group "users". I guess I'm not sure what the point is by having files owned by 'nobody' and then adding nobody 'user' to the 'users' group - that seems to be some rather twisted logic that has security implications far beyond the simple samba share configuration but hey… it's your box. chirp users /data/public -R chmod g+s /data/public -R will ensure that all files/folders in /data/public are owned by the group 'users' and any new files/folders created within (whether by samba or not) belong to that group. if you add 'inherit permissions = yes' to the 'share' definition in smb.conf, that also will impact. Yes, you could also add: force security mode = 770 #or 775 force directory security mode = 770 #or 775 within the share definition too. >> I would just check if it works in permissive mode then we can blame this on >> SELinux, if not, then it is not SELinux problem. > Works on permissive mode with activated firewall, but i changed > "security=share" to "security=user" in the smb.conf as well. So the > access to the samba-share works now on enforcing mode, too. in my opinion, security=user is always the better solution. Craig ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samba vs. Firewall and/or SELinux
Daniel J Walsh wrote: > Not a great idea since every user will be allowed to read/write/execute in > this directory. I ran chown with root:users for data public in recursive mode and added nobody to the group users, but via samba created files will own by nobody:nobody instead of nobody:users, so it is not allowed for my local user to write and read the files added via samba. So I decided to access rwx to all. what is the trick in the smb.conf that the files will owned by the group "users"? I'm working with the parameter "create mask = 777". I would rather work with 770 and the files should be owned by the user "nobody" and the group "users". > I would just check if it works in permissive mode then we can blame this on > SELinux, if not, then it is not SELinux problem. Works on permissive mode with activated firewall, but i changed "security=share" to "security=user" in the smb.conf as well. So the access to the samba-share works now on enforcing mode, too. -- Ibrahim "Arastirmacilar" Yurtseven 2.6.32-279.19.1.el6.i686 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samba vs. Firewall and/or SELinux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/27/2012 10:26 AM, Ibrahim Yurtseven wrote: > Daniel J Walsh wrote: >> You did run restorecon on /data? restorecon -R -v /data > No, only on /data/public > > sh-4.1$ restorecon -R -v /data restorecon: unable to read directory /data > Run the restorecon command as root. > I configured my smb with this (german) tutorial: > http://www.gtkdb.de/index_7_1356.html > > But i tried to configure a writeable access to guests, so i didn't add a > new user in samba and run chown to nobody:nobody instead of root:users and > chmod to ogu+rwx! > Not a great idea since every user will be allowed to read/write/execute in this directory. >> Does it work in permissive mode? > Just tested with "enforcing". Should i switch to permissive mode? > I would just check if it works in permissive mode then we can blame this on SELinux, if not, then it is not SELinux problem. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlDcgl4ACgkQrlYvE4MpobOcSQCdFIKpd0eeRqe3eNbzyZBP9lke eccAn1q79BQWQdaXgrM59QULcGnAwOH/ =DT/n -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samba vs. Firewall and/or SELinux
On Dec 27, 2012, at 6:09 AM, Ibrahim Yurtseven wrote: > [global] > workgroup = NETZWERK > server string = Samba Server Version %v > security = SHARE > log file = /var/log/samba/log.%m > max log size = 50 > cups options = raw > > [public] > comment = hier kannn reinkopiert werden > path = /data/public > read only = No > create mask = 0777 > guest only = Yes > guest ok = Yes > sh-4.1# cat /etc/samba/smbusers > # Unix_name = SMB_name1 SMB_name2 ... > root = administrator admin > nobody = guest pcguest smbguest > sh-4.1# ls -lisah /data/public > total 144M > 1703938 12K drwxrwxrwx. 4 nobody users 12K Dec 27 13:39 . > 1703937 4.0K drwxr-xr-x. 3 root root 4.0K Dec 22 19:43 .. > 1706985 144M -rwxrw-rw- 1 nobody nobody 144M Dec 27 13:39 > Disney_ Alice im Wunderland (1951).mp4 perhaps testparam -sv would have been more useful/explicit just to confirm the default values are what you believe them to be but… assuming that: ls -ld /data/ ls -ld /data/public are rwxrwxrwx (or something that permits user 'nobody') you might want to ensure that 'guest account = nobody' is specifically set in the global section. I have no experience with 'security = share' and tend to use 'security = user' and with this setup, I think you can use 'map to bad user' to achieve something similar but I suspect that you can make it work. The concept of security = share is to mimic Windows 95/98 file sharing mode which requires only a password. I don't know that it is well supported by Windows Vista, 7 or 8 clients. Craig ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samba vs. Firewall and/or SELinux
Daniel J Walsh wrote: > You did run restorecon on /data? restorecon -R -v /data No, only on /data/public sh-4.1$ restorecon -R -v /data restorecon: unable to read directory /data I configured my smb with this (german) tutorial: http://www.gtkdb.de/index_7_1356.html But i tried to configure a writeable access to guests, so i didn't add a new user in samba and run chown to nobody:nobody instead of root:users and chmod to ogu+rwx! > Does it work in permissive mode? Just tested with "enforcing". Should i switch to permissive mode? -- Ibrahim "Arastirmacilar" Yurtseven 2.6.32-279.19.1.el6.i686 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samba vs. Firewall and/or SELinux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/27/2012 08:09 AM, Ibrahim Yurtseven wrote: > > Hi all. > > I created a smb-share on my el6 for all windows-pcs in my home-network (I'm > the only Linux-User in my family) for sharing all the stuff we have, like > music and videos and documents. The share will be shown on the other pcs > (Windows XP), but they can't open it. The error-message ist "Share not > found" on our preferred language of course! > > SELINUX-CONFIG sh-4.1# cat > /etc/selinux/targeted/contexts/files/file_contexts.local # This file is > auto-generated by libsemanage # Do not edit directly. > > /data(/.*)?system_u:object_r:samba_share_t:s0 > > > FIREWALL-CONFIG (Port 901 is for SWAT) sh-4.1# cat > /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Thu Dec 20 > 17:28:14 2012 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT > ACCEPT [0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 901 -j > ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT -A > INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT -A INPUT -p > udp -m state --state NEW -m udp --dport 138 -j ACCEPT -A INPUT -p udp -m > state --state NEW -m udp --dport 137 -j ACCEPT COMMIT # Completed on Thu > Dec 20 17:28:14 2012 > > > SAMBA-CONFIG "Alice im Wunderland" is the testfile I uploaded with > disabled Firewall and disabled SELinux sh-4.1# testparm Load smb config > files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to > minimum Windows limit (16384) Processing section "[public]" Loaded services > file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your > service definitions > > [global] workgroup = NETZWERK server string = Samba Server Version %v > security = SHARE log file = /var/log/samba/log.%m max log size = 50 cups > options = raw > > [public] comment = hier kannn reinkopiert werden path = /data/public read > only = No create mask = 0777 guest only = Yes guest ok = Yes sh-4.1# cat > /etc/samba/smbusers # Unix_name = SMB_name1 SMB_name2 ... root = > administrator admin nobody = guest pcguest smbguest sh-4.1# ls -lisah > /data/public total 144M 1703938 12K drwxrwxrwx. 4 nobody users > 12K Dec 27 13:39 . 1703937 4.0K drwxr-xr-x. 3 root root 4.0K > Dec 22 19:43 .. 1706985 144M -rwxrw-rw- 1 nobody nobody 144M Dec > 27 13:39 Disney_ Alice im Wunderland (1951).mp4 > You did run restorecon on /data? restorecon -R -v /data Does it work in permissive mode? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlDcZagACgkQrlYvE4MpobP3XQCg1epS04djn9c5cy/Sncb1GkSY vscAoJflNuRH2jWJ+pr1qyw1SQHE8wfG =UsGR -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samba vs. Firewall and/or SELinux
Earl A Ramirez wrote: > Is the nmb service running? sh-4.1# service nmb status nmbd (pid 1863) is running... I set nmb like smb my system-config-services It starts automaticly on boot. The nmb service is started once, usually when the system is booted, runs in the background and wakes up when needed. This service is enabled. This service is running. Starts and stops the Samba nmbd daemon used to provide NetBIOS name services. -- Ibrahim "Arastirmacilar" Yurtseven 2.6.32-279.19.1.el6.i686 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samba vs. Firewall and/or SELinux
On 27 December 2012 21:09, Ibrahim Yurtseven wrote: > > Hi all. > > I created a smb-share on my el6 for all windows-pcs in my > home-network (I'm the only Linux-User in my family) for sharing all the > stuff we have, like music and videos and documents. The share will be > shown on the other pcs (Windows XP), but they can't open it. The > error-message ist "Share not found" on our preferred language of course! > > SELINUX-CONFIG > sh-4.1# cat /etc/selinux/targeted/contexts/files/file_contexts.local > # This file is auto-generated by libsemanage > # Do not edit directly. > > /data(/.*)?system_u:object_r:samba_share_t:s0 > > > FIREWALL-CONFIG (Port 901 is for SWAT) > sh-4.1# cat /etc/sysconfig/iptables > # Generated by iptables-save v1.4.7 on Thu Dec 20 17:28:14 2012 > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > -A INPUT -p tcp -m state --state NEW -m tcp --dport 901 -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT > -A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT > -A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT > COMMIT > # Completed on Thu Dec 20 17:28:14 2012 > > > SAMBA-CONFIG "Alice im Wunderland" is the testfile I uploaded with > disabled Firewall and disabled SELinux > sh-4.1# testparm > Load smb config files from /etc/samba/smb.conf > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit > (16384) Processing section "[public]" > Loaded services file OK. > Server role: ROLE_STANDALONE > Press enter to see a dump of your service definitions > > [global] > workgroup = NETZWERK > server string = Samba Server Version %v > security = SHARE > log file = /var/log/samba/log.%m > max log size = 50 > cups options = raw > > [public] > comment = hier kannn reinkopiert werden > path = /data/public > read only = No > create mask = 0777 > guest only = Yes > guest ok = Yes > sh-4.1# cat /etc/samba/smbusers > # Unix_name = SMB_name1 SMB_name2 ... > root = administrator admin > nobody = guest pcguest smbguest > sh-4.1# ls -lisah /data/public > total 144M > 1703938 12K drwxrwxrwx. 4 nobody users 12K Dec 27 13:39 . > 1703937 4.0K drwxr-xr-x. 3 root root 4.0K Dec 22 19:43 .. > 1706985 144M -rwxrw-rw- 1 nobody nobody 144M Dec 27 13:39 > Disney_ Alice im Wunderland (1951).mp4 > > -- > Ibrahim "Arastirmacilar" Yurtseven > 2.6.32-279.19.1.el6.i686 > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > Is the nmb service running? -- Kind Regards Earl Ramirez ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Samba vs. Firewall and/or SELinux
Hi all. I created a smb-share on my el6 for all windows-pcs in my home-network (I'm the only Linux-User in my family) for sharing all the stuff we have, like music and videos and documents. The share will be shown on the other pcs (Windows XP), but they can't open it. The error-message ist "Share not found" on our preferred language of course! SELINUX-CONFIG sh-4.1# cat /etc/selinux/targeted/contexts/files/file_contexts.local # This file is auto-generated by libsemanage # Do not edit directly. /data(/.*)?system_u:object_r:samba_share_t:s0 FIREWALL-CONFIG (Port 901 is for SWAT) sh-4.1# cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Thu Dec 20 17:28:14 2012 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 901 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT COMMIT # Completed on Thu Dec 20 17:28:14 2012 SAMBA-CONFIG "Alice im Wunderland" is the testfile I uploaded with disabled Firewall and disabled SELinux sh-4.1# testparm Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[public]" Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions [global] workgroup = NETZWERK server string = Samba Server Version %v security = SHARE log file = /var/log/samba/log.%m max log size = 50 cups options = raw [public] comment = hier kannn reinkopiert werden path = /data/public read only = No create mask = 0777 guest only = Yes guest ok = Yes sh-4.1# cat /etc/samba/smbusers # Unix_name = SMB_name1 SMB_name2 ... root = administrator admin nobody = guest pcguest smbguest sh-4.1# ls -lisah /data/public total 144M 1703938 12K drwxrwxrwx. 4 nobody users 12K Dec 27 13:39 . 1703937 4.0K drwxr-xr-x. 3 root root 4.0K Dec 22 19:43 .. 1706985 144M -rwxrw-rw- 1 nobody nobody 144M Dec 27 13:39 Disney_ Alice im Wunderland (1951).mp4 -- Ibrahim "Arastirmacilar" Yurtseven 2.6.32-279.19.1.el6.i686 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos