Samba - Share Access Control

Share Access Control

There are several options available to control access for each individual shared directory. Using the [share] example, this section will cover some common options.

Groups

Groups define a collection of users which have a common level of access to particular network resources and offer a level of granularity in controlling access to such resources. For example, if a group qa is defined and contains the users freda, danika, and rob and a second group support is defined and consists of users danika, jeremy, and vincent then certain network resources configured to allow access by the qa group will subsequently enable access by freda, danika, and rob, but not jeremy or vincent. Since the user danika belongs to both the qa and support groups, she will be able to access resources configured for access by both groups, whereas all other users will have only access to resources explicitly allowing the group they are part of.

When mentioning groups in the Samba configuration file, /etc/samba/smb.conf, the recognized syntax is to preface the group name with an “@” symbol. For example, if you wished to use a group named sysadmin in a certain section of the /etc/samba/smb.conf, you would do so by entering the group name as @sysadmin. if a group name has a space in it, use double quotes, like "@LTS Releases".

Read and Write Permissions

Read and write permissions define the explicit rights a computer or user has to a particular share. Such permissions may be defined by editing the /etc/samba/smb.conf file and specifying the explicit permissions inside a share.

For example, if you have defined a Samba share called share and wish to give read-only permissions to the group of users known as qa, but wanted to allow writing to the share by the group called sysadmin and the user named vincent, then you could edit the /etc/samba/smb.conf file, and add the following entries under the [share] entry:

    read list = @qa
    write list = @sysadmin, vincent

Another possible Samba permission is to declare administrative permissions to a particular shared resource. Users having administrative permissions may read, write, or modify any information contained in the resource the user has been given explicit administrative permissions to.

For example, if you wanted to give the user melissa administrative permissions to the share example, you would edit the /etc/samba/smb.conf file, and add the following line under the [share] entry:

    admin users = melissa

After editing /etc/samba/smb.conf, reload Samba for the changes to take effect:

sudo smbcontrol smbd reload-config

Now that Samba has been configured to limit which groups have access to the shared directory, the filesystem permissions need to be checked.

Traditional Linux file permissions do not map well to Windows NT Access Control Lists (ACLs). Fortunately POSIX ACLs are available on Ubuntu servers providing more fine grained control. For example, to enable ACLs on /srv an EXT3 filesystem, edit /etc/fstab adding the acl option:

UUID=66bcdd2e-8861-4fb0-b7e4-e61c569fe17d /srv  ext3    noatime,relatime,acl 0       1

Then remount the partition:

sudo mount -v -o remount /srv

Note

The above example assumes /srv on a separate partition. If /srv, or wherever you have configured your share path, is part of the / partition a reboot may be required.

To match the Samba configuration above the sysadmin group will be given read, write, and execute permissions to /srv/samba/share, the qa group will be given read and execute permissions, and the files will be owned by the username melissa. Enter the following in a terminal:

sudo chown -R melissa /srv/samba/share/
sudo chgrp -R sysadmin /srv/samba/share/
sudo setfacl -R -m g:qa:rx /srv/samba/share/

Note

The setfacl command above gives execute permissions to all files in the /srv/samba/share directory, which you may or may not want.

Now from a Windows client you should notice the new file permissions are implemented. See the acl and setfacl man pages for more information on POSIX ACLs.

Resources

I suggest changing ??? to a link on the documentation https://ubuntu.com/server/docs/security-users.

Thanks.

2 Likes

@tomislavp

Thank you for your feedback. Sorry this took so long, but we’ve been working through lots of feedback received on these docs. The link you mentioned has been fixed. As the feedback is incorporated, we’ll delete the feedback comments to clean up in about a month from now.