Table of Contents
To restrict users per share, you can use the valid users parameter. In the example below, only the users listed as valid will be able to access the tennis share.
[tennis] path = /srv/samba/tennis comment = authenticated and valid users only read only = No guest ok = No valid users = serena, kim, venus, justine
If you are paranoia, you can also use invalid users to explicitely deny the listed users access. When a user is in both lists, the user has no access!
[tennis] path = /srv/samba/tennis read only = No guest ok = No valid users = kim, serena, venus, justine invalid users = venus
The hosts allow or allow hosts parameter is one of the key advantages of Samba. It allows access control of shares on the ip-address level. To allow only specific hosts to access a share, list the hosts, separated by comma's.
allow hosts = 192.168.1.5, 192.168.1.40
Allowing entire subnets is done by ending the range with a dot.
allow hosts = 192.168.1.
Subnet masks can be added in the classical way.
allow hosts = 10.0.0.0/255.0.0.0
You can also allow an entire subnet with exceptions.
hosts allow = 10. except 10.0.0.12
Setting hide unreadable to yes will prevent users from seeing files that cannot be read by them.
hide unreadable = yes
Setting the browseable = no directive will hide shares from My Network Places. But it will not prevent someone from accessing the share (when the name of the share is known).
Note that browsable and browseable are both correct syntax.
[pubread] path = /srv/samba/readonly comment = files to read read only = yes guest ok = yes browseable = no
You can use create mask and directory mask to set the maximum allowed permissions for newly created files and directories. The mask you set is an AND mask (it takes permissions away).
[tennis] path = /srv/samba/tennis read only = No guest ok = No create mask = 640 directory mask = 750
Similar to create mask, but different. Where the mask from above was a logical AND, the mode you set here is a logical OR (so it adds permissions). You can use the force create mode and force directory mode to set the minimal required permissions for newly created files and directories.
[tennis] path = /srv/samba/tennis read only = No guest ok = No force create mode = 444 force directory mode = 550
The security mask and directory security mask work in the same way as create mask and directory mask, but apply only when a windows user is changing permissions using the windows security dialog box.
The force security mode and force directory security mode work in the same way as force create mode and force directory mode, but apply only when a windows user is changing permissions using the windows security dialog box.
With inherit permissions = yes you can force newly created files and directories to inherit permissions from their parent directory, overriding the create mask and directory mask settings.
[authwrite] path = /srv/samba/authwrite comment = authenticated users only read only = no guest ok = no create mask = 600 directory mask = 555 inherit permissions = yes
1. Create a writable share called sales, and a readonly share called budget. Test that it works.
2. Limit access to the sales share to ann, sandra and veronique.
3. Make sure that roberto cannot access the sales share.
4. Even though the sales share is writable, ann should only have read access.
5. Even though the budget share is read only, sandra should also have write access.
6. Limit one shared directory to the 192.168.1.0/24 subnet, and another share to the two computers with ip-addresses 192.168.1.33 and 172.17.18.19.
7. Make sure the computer with ip 192.168.1.203 cannot access the budget share.
8. Make sure (on the budget share) that users can see only files and directories to which they have access.
9. Make sure the sales share is not visible when browsing the network.
10. All files created in the sales share should have 640 permissions or less.
11. All directories created in the budget share should have 750 permissions or more.
12. Permissions for files on the sales share should never be set more than 664.
13. Permissions for files on the budget share should never be set less than 500.
14. If time permits (or if you are waiting for other students to finish this practice), then combine the "read only" and "writable" statements to check which one has priority.
15. If time permits then combine "read list", "write list", "hosts allow" and "hosts deny". Which of these has priority ?
1. Create a writable share called sales, and a readonly share called budget. Test that it works.
see previous solutions on how to do this...
2. Limit access to the sales share to ann, sandra and veronique.
valid users = ann, sandra, veronique
3. Make sure that roberto cannot access the sales share.
invalid users = roberto
4. Even though the sales share is writable, ann should only have read access.
read list = ann
5. Even though the budget share is read only, sandra should also have write access.
write list = sandra
6. Limit one shared directory to the 192.168.1.0/24 subnet, and another share to the two computers with ip-addresses 192.168.1.33 and 172.17.18.19.
hosts allow = 192.168.1.
hosts allow = 192.168.1.33, 172.17.18.19
7. Make sure the computer with ip 192.168.1.203 cannot access the budget share.
hosts deny = 192.168.1.203
8. Make sure (on the budget share) that users can see only files and directories to which they have access.
hide unreadable = yes
9. Make sure the sales share is not visible when browsing the network.
browsable = no
10. All files created in the sales share should have 640 permissions or less.
create mask = 640
11. All directories created in the budget share should have 750 permissions or more.
force directory mode = 750
12. Permissions for files on the sales share should never be set more than 664.
security mask = 750
13. Permissions for files on the budget share should never be set less than 500.
force security directory mask = 500
14. If time permits (or if you are waiting for other students to finish this practice), then combine the "read only" and "writable" statements to check which one has priority.
15. If time permits then combine "read list", "write list", "hosts allow" and "hosts deny". Which of these has priority ?