fcisler
Premium
join:2004-06-14
Riverhead, NY
| samba and permissions
This does not make sense to me....
My login name is NOT vanessa....but via samba...I can still get into the directory?
If I attempt to get into this directory via a SSH session, I get an access denied...what gives?
Here's the pertinent samba chunk of config:
I've been through this once...and don't remember what the end result was.
Previously, all the files were owned by "root", and force user = root.
What am I missing here?
(BTW, directory randomly chosen - at the top of the list) |
|
Zaber
When all are gone, there shall be none
join:2000-06-08
Cleveland, OH
clubs:
 ·Expedient
·XO COMMUNICATIONS
·AT&T Midwest
| Never used the force user setting in samba. Can all samba accounts get into this directory or just yours? What does smbstatus say if you open a file (what is your user). Samba can map a user to root and give root permissions.
--
Give a man a fish and he eats for a day, teach a man to fish and he will feed himself for a lifetime |
|
yock
Eschew the False Dichotomy
Premium
join:2000-11-21
Fairfield, OH
| reply to fcisler
It's set to public via SMB, so that's why you're able to reach it there, but SSH will follow standard Unix file permissions.
Is "vanessa" a valid login on your system? Samba might be compromised.
--
Laughter is the closest distance between two people. --Victor Borge
"The opposite of war isn't peace, it's creation." |
|
fcisler
Premium
join:2004-06-14
Riverhead, NY
edit:
July 12th, @04:33PM
| vanessa is a valid user on the system, no login permissions, though.
This server is firewalled, and i'm 99% sure that it's not compromised. It's not accessible by anything but internal.
I force the user setting in this because otherwise it's whatever user is copying files to here, and that isn't what I want.
Here's what smbstatus says:
It shows my username logged in and using "share".
EDIT: commenting out public = yes and setting public = no does nothing either. AFAIK, "public" controlled weather a share was seen when going to the server via \\server. Similar to in windows how a share$ (money sign) made the share hidden. |
|
yock
Eschew the False Dichotomy
Premium
join:2000-11-21
Fairfield, OH
| If vanessa is a valid user, then disregard my comments about compromise.
Did you restart Samba after you commented out the public directive?
--
Laughter is the closest distance between two people. --Victor Borge
"The opposite of war isn't peace, it's creation." |
|
fcisler
Premium
join:2004-06-14
Riverhead, NY | yes, samba was restarted (/usr/local/etc/rc.d/samba restart) between each test. |
|
spk037
join:2006-09-02
Orlando, FL | reply to fcisler
force user option will cause everything written to the dir to be written as that user. to allow only certain users to access the share you can use the "valid users =" line. |
|
fcisler
Premium
join:2004-06-14
Riverhead, NY
| Yes, that was the impression I got of force user =.
AFAIK, force user is only for WRITING - it does not imply that when I attempt to access something, I am also accessing it as that user....am I correct in that assumption?
I'm still not sure as to why I can get into this share without appropriate permissions? |
|
spk037
join:2006-09-02
Orlando, FL
| I notice that sometimes other users can browse the dir in read only mode even if they dont have rw rights to that dir, if they are a valid samba user. If I user the valid users = line in the share, that seems to stop all others from browsing the dir. |
|
fcisler
Premium
join:2004-06-14
Riverhead, NY | setting valid users had no effect. I also have full permissions to that directory when set to above permissions. |
|
jimkyle
Btrieve Guy
Premium
join:2002-10-20
Oklahoma City, OK | Is it possible that your User ID number has gotten set to 0, making you effectively "root" at all times? That would explain what is happening...
--
Jim Kyle |
|
fcisler
Premium
join:2004-06-14
Riverhead, NY | My UID is 1001 (first account, BSD anyway).
I am a member of wheel though. |
|
jimkyle
Btrieve Guy
Premium
join:2002-10-20
Oklahoma City, OK | That just might do it too; I'm not familiar with how BSD treats the wheel group...
--
Jim Kyle |
|
fcisler
Premium
join:2004-06-14
Riverhead, NY | reply to fcisler
IIRC, OpenBSD required you to be in wheel to SU (although it could be FreeBSD or me being confused). Either way, I got used to adding MY account to wheel.
I'll remove myself later tonight and see. |
|
