|
105.
|
|
|
The <application>setfacl</application> command above gives <emphasis>execute</emphasis> permissions to all files in the <filename>/srv/samba/share</filename> directory, which you may or may not want.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:627(para)
|
|
106.
|
|
|
Now from a Windows client you should notice the new file permissions are implemented. See the <application>acl</application> and <application>setfacl</application> man pages for more information on POSIX ACLs.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:633(para)
|
|
108.
|
|
|
Ubuntu comes with the <application>AppArmor</application> security module, which provides mandatory access controls. The default AppArmor profile for Samba will need to be adapted to your configuration. For more details on using AppArmor see <xref linkend="apparmor"/>.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:643(para)
|
|
109.
|
|
|
There are default AppArmor profiles for <filename>/usr/sbin/smbd</filename> and <filename>/usr/sbin/nmbd</filename>, the Samba daemon binaries, as part of the <application>apparmor-profiles</application> packages. To install the package, from a terminal prompt enter:
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:649(para)
|
|
111.
|
|
|
This package contains profiles for several other binaries.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:660(para)
|
|
112.
|
|
|
By default the profiles for <application>smbd</application> and <application>nmbd</application> are in <emphasis>complain</emphasis> mode allowing Samba to work without modifying the profile, and only logging errors. To place the <application>smbd</application> profile into <emphasis>enforce</emphasis> mode, and have Samba work as expected, the profile will need to be modified to reflect any directories that are shared.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:665(para)
|
|
113.
|
|
|
Edit <filename>/etc/apparmor.d/usr.sbin.smbd</filename> adding information for <emphasis>[share]</emphasis> from the file server example:
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:672(para)
|
|
115.
|
|
|
Now place the profile into <emphasis>enforce</emphasis> and reload it:
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:682(para)
|
|
118.
|
|
|
You should now be able to read, write, and execute files in the shared directory as normal, and the <application>smbd</application> binary will have access to only the configured files and directories. Be sure to add entries for each directory you configure Samba to share. Also, any errors will be logged to <filename>/var/log/syslog</filename>.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:691(para)
|
|
121.
|
|
|
For more information on Samba and ACLs see the <ulink url="http://samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html#id397568">Samba ACLs page </ulink>.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:728(para)
|