Controlling Access to Shares
Often you will need to restrict the users who can access a specific share for security reasons. This is very easy to do with Samba because it contains a wealth of options for creating practically any security configuration. Let’s introduce a few configurations that you might want to use in your own Samba setup.
We’ve seen what happens when you specify valid
users. However, you are also allowed to specify a list of
invalid users—users who should never be
allowed access to Samba or its shares. This is done with the
invalid
users
option. We hinted at one frequent use of this option earlier: a
global default with the [homes]
section to ensure
that various system users and superusers cannot be forged for access.
For example:
[global] invalid users = root bin daemon adm sync shutdown \ halt mail news uucp operator auto services = dave peter bob [homes] browsable = no writable = yes
The invalid
users
option, like
valid
users
, can take group
names, preceded by an at sign (@
), as well as
usernames. In the event that a user or group appears in both lists,
the invalid
users
option takes
precedence, and the user or group is denied access to the share.
At the other end of the spectrum, you can explicitly specify users
who will be allowed
superuser (root) access to a share with
the admin
users
option. An example follows:
[sales] path = /home/sales comment = Sedona Real Estate Sales Data writable = yes valid users = sofie shelby adilia admin users = mike
This option ...
Get Using Samba, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.