[CentOS] Using Samba to share Apache web root, securely

Tue Aug 9 20:33:30 UTC 2011
Craig White <craig.white at ttiltd.com>

On Aug 9, 2011, at 10:32 AM, Trey Dockendorf wrote:

> 
> 
> On Tue, Aug 9, 2011 at 11:54 AM, Craig White <craig.white at ttiltd.com> wrote:
> 
> On Aug 9, 2011, at 9:02 AM, Les Mikesell wrote:
> 
> > On 8/9/2011 10:44 AM, Craig White wrote:
> >>
> >>> There's probably a way to add apache to that group with a configuration
> >>> on the local machine so it doesn't have to query your ADS/NMB server.
> >>> Not sure about the details but the docs at http://samba.org/samba/docs/
> >>> are invaluable.
> >> ----
> >> I'm quite sure that if all the files are owned by the 'department_a' group and 'readable' by user apache as I have indicated, they should be with the given configuration, there's absolutely no need to do any mucking with local users or groups at all.
> >>
> >> The reality is that this machine will query AD/NMB server each time a non-local user does anything on this system (read or write) and the only thing that will lighten that load is something like NSCD (good luck with that - not always a great option with samba).
> >
> > Really? I thought samba would map a connection to a uid at connect time.
> ----
> indeed it does but that doesn't mean that the system won't keep polling the authoritative account info source.
> ----
> >
> >> There are two important features of what I proposed...
> >> - sgid means that all files/folders created within will always belong to department_a group
> >
> > You can also do a 'force group' in the samba config for a share instead
> > of or besides the sgid directory.
> ----
> true but:
> 1 - force anything seems to be a little heavy handed
> 2 - using sgid means that anyone using a shell will also create files/directories with the same group - using 'force group' only has implications for samba connections. Using sgid encompasses all methods of access.
> ----
> >
> >> - create mask 664&  directory mask 775 means that each file&  directory created - group will always get rw privileges and everyone else (ie user apache) has 'read' privileges.
> >>
> >> The only weakness of this theory as I see it, is that there very well may be files - perhaps config files that you wouldn't want anyone to be able to see and you probably will have to have some<Directory>  restrictions in Apache's configuration to prevent web users from accessing them.
> >
> > There are also likely situations where the web server needs write
> > access, although those cases should be handled carefully or avoided
> > where possible.
> 
> ----
> indeed
> 
> Craig
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
> 
> Excellent advice thank you!!!
> 
> I was very close to the same conclusion, but have never messed with SGID , but that definately helps especially as I make changes on the command line side while my users do it via Samba.
> 
> Also a side note...NONE of this will work if your testing creating files from a Mac.  You have to add "unix extensions = no " to the Samba global config section.  Once I did that the create mask and directory mask options began to work.
> 
> Now I have a new requirement passed to me, which is a bit more complicated.
> 
> How would I allow individual users the ability only to access specific subfolders within that share without them being a part of the department_a group?  My initial idea was to make use of ACLs, but if the POSIX permissions don't allow them write access, then ACLs won't help, will they ?  The model is I need users of group department_a to have full control over this share while allowing individual faculty members to access only their personal folders within this share.
----
you really should have been able to fix this one yourself.

you can use any combination of 'read list' and 'write list' including multiple groups within the share definition of course these govern the whole share itself or you can use Windows ACL's to set individual file/folder permissions (but that tends to be confusing for many people).

Another option is to create a new share for the 'read only' users and just create symbolic links inside the read only share for those users.

generally, I encourage Macintosh users to use 'netatalk' (AFP over TCP/IP) shares which are probably the same shares with almost identical configuration details but the current version of netatalk is awfully difficult to get installed on CentOS 5 - probably easier on CentOS 6 but I've made the switch to Ubuntu for newer installs. Of course then you have to add 'Veto files' on samba because Macintosh's leave a lot of clutter behind on a server. The notion of a Macintosh having to resort to Windows protocol to use a Linux server is rather ugly.

Craig