[CentOS] Samba vs. Firewall and/or SELinux

Fri Dec 28 15:10:42 UTC 2012
Craig White <craig.white at ttiltd.com>

On Dec 28, 2012, at 5:13 AM, Ibrahim Yurtseven wrote:

> Daniel J Walsh wrote:
>> Not a great idea since every user will be allowed to read/write/execute in
>> this directory.
> I ran chown with root:users for data public in recursive mode and added
> nobody to the group users, but via samba created files will own by
> nobody:nobody instead of nobody:users, so it is not allowed for my
> local user to write and read the files added via samba. So I decided to
> access rwx to all. what is the trick in the smb.conf that the files
> will owned by the group "users"? I'm working with the parameter "create
> mask = 777". I would rather work with 770 and the files should be owned
> by the user "nobody" and the group "users".
I guess I'm not sure what the point is by having files owned by 'nobody' and then adding nobody 'user' to the 'users' group - that seems to be some rather twisted logic that has security implications far beyond the simple samba share configuration but hey… it's your box.

chirp users /data/public -R
chmod g+s /data/public -R

will ensure that all files/folders in /data/public are owned by the group 'users' and any new files/folders created within (whether by samba or not) belong to that group.

if you add 'inherit permissions = yes' to the 'share' definition in smb.conf, that also will impact.
Yes, you could also add:
force security mode = 770 #or 775
force directory security mode = 770 #or 775
within the share definition too.
>> I would just check if it works in permissive mode then we can blame this on
>> SELinux, if not, then it is not SELinux problem.
> Works on permissive mode with activated firewall, but i changed
> "security=share" to "security=user" in the smb.conf as well. So the
> access to the samba-share works now on enforcing mode, too.  
in my opinion, security=user is always the better solution.