Changeset 745 for trunk/server/docs/htmldocs/Samba3-HOWTO/securing-samba.html

Timestamp:

Nov 27, 2012, 4:43:17 PM (13 years ago)

Author:

Silvan Scherrer

Message:

Samba Server: updated trunk to 3.6.0

Location:

trunk/server

Files:

• . (modified) (1 prop)
• docs/htmldocs/Samba3-HOWTO/securing-samba.html (modified) (12 diffs)

trunk/server/docs/htmldocs/Samba3-HOWTO/securing-samba.html

@@ -4 +4 @@
 <a class="indexterm" name="id385281"></a>
 <a class="indexterm" name="id385288"></a>
-<a class="indexterm" name="id385294"></a>
+<a class="indexterm" name="id385295"></a>
 <a class="indexterm" name="id385301"></a>
 <a class="indexterm" name="id385308"></a>
@@ -27 +27 @@
 <a class="indexterm" name="id385368"></a>
 <a class="indexterm" name="id385375"></a>
-<a class="indexterm" name="id385381"></a>
+<a class="indexterm" name="id385382"></a>
 There are three levels at which security principles must be observed in order to render a site
 at least moderately secure. They are the perimeter firewall, the configuration of the host
@@ -67 +67 @@
         </p><p>
 <a class="indexterm" name="id385535"></a>
-<a class="indexterm" name="id385541"></a>
+<a class="indexterm" name="id385542"></a>
         One of the simplest fixes in this case is to use the <a class="link" href="smb.conf.5.html#HOSTSALLOW" target="_top">hosts allow</a> and
         <a class="link" href="smb.conf.5.html#HOSTSDENY" target="_top">hosts deny</a> options in the Samba <code class="filename">smb.conf</code> configuration file to
         allow access to your server only from a specific range of hosts. An example might be:
-        </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id385585"></a><em class="parameter"><code>hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24</code></em></td></tr><tr><td><a class="indexterm" name="id385597"></a><em class="parameter"><code>hosts deny = 0.0.0.0/0</code></em></td></tr></table><p>
+        </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id385586"></a><em class="parameter"><code>hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24</code></em></td></tr><tr><td><a class="indexterm" name="id385597"></a><em class="parameter"><code>hosts deny = 0.0.0.0/0</code></em></td></tr></table><p>
         </p><p>
 <a class="indexterm" name="id385612"></a>
 <a class="indexterm" name="id385619"></a>
-<a class="indexterm" name="id385625"></a>
+<a class="indexterm" name="id385626"></a>
         The above will allow SMB connections only from <code class="constant">localhost</code> (your own
         computer) and from the two private networks 192.168.2 and 192.168.3. All other
@@ -90 +90 @@
         </p></div><div class="sect2" title="Using Interface Protection"><div class="titlepage"><div><div><h3 class="title"><a name="id385704"></a>Using Interface Protection</h3></div></div></div><p>
 <a class="indexterm" name="id385712"></a>
-<a class="indexterm" name="id385718"></a>
+<a class="indexterm" name="id385719"></a>
 <a class="indexterm" name="id385725"></a>
         By default, Samba accepts connections on any network interface that
@@ -109 +109 @@
         the common name for Ethernet adapters on Linux.
         </p><p>
-<a class="indexterm" name="id385817"></a>
+<a class="indexterm" name="id385818"></a>
 <a class="indexterm" name="id385824"></a>
-<a class="indexterm" name="id385830"></a>
+<a class="indexterm" name="id385831"></a>
 <a class="indexterm" name="id385837"></a>
         If you use the above and someone tries to make an SMB connection to your host over a PPP interface called
@@ -120 +120 @@
         </p><p>
 <a class="indexterm" name="id385855"></a>
-<a class="indexterm" name="id385861"></a>
+<a class="indexterm" name="id385862"></a>
 <a class="indexterm" name="id385868"></a>
 <a class="indexterm" name="id385875"></a>
@@ -150 +150 @@
         </p><p>
 <a class="indexterm" name="id386006"></a>
-<a class="indexterm" name="id386012"></a>
+<a class="indexterm" name="id386013"></a>
 <a class="indexterm" name="id386019"></a>
         When configuring a firewall, the high order ports (1024-65535) are often used for outgoing connections and
@@ -156 +156 @@
         ports except for established connections.
         </p></div><div class="sect2" title="Using IPC$ Share-Based Denials"><div class="titlepage"><div><div><h3 class="title"><a name="id386031"></a>Using IPC$ Share-Based Denials </h3></div></div></div><p>
-<a class="indexterm" name="id386038"></a>
+<a class="indexterm" name="id386039"></a>
 <a class="indexterm" name="id386045"></a>
 <a class="indexterm" name="id386052"></a>
@@ -167 +167 @@
         </p><p>
 <a class="indexterm" name="id386106"></a>
-<a class="indexterm" name="id386112"></a>
-<a class="indexterm" name="id386119"></a>
+<a class="indexterm" name="id386113"></a>
+<a class="indexterm" name="id386120"></a>
         This instructs Samba that IPC$ connections are not allowed from anywhere except the two listed network
         addresses (localhost and the 192.168.115 subnet). Connections to other shares are still allowed. Because the
@@ -176 +176 @@
 <a class="indexterm" name="id386133"></a>
 <a class="indexterm" name="id386140"></a>
-<a class="indexterm" name="id386146"></a>
+<a class="indexterm" name="id386147"></a>
         If you use this method, then clients will be given an <code class="literal">`access denied'</code> reply when they try
         to access the IPC$ share. Those clients will not be able to browse shares and may also be unable to access
@@ -234 +234 @@
         User xyzzy can map his home directory. Once mapped, user xyzzy can also map anyone else's home directory.
         </span>&#8221;</span></p><p>
-<a class="indexterm" name="id386328"></a>
+<a class="indexterm" name="id386329"></a>
 <a class="indexterm" name="id386335"></a>
         This is not a security flaw, it is by design. Samba allows users to have exactly the same access to the UNIX
@@ -241 +241 @@
         </p><p>
 <a class="indexterm" name="id386348"></a>
-<a class="indexterm" name="id386354"></a>
+<a class="indexterm" name="id386355"></a>
         If your UNIX home directories are set up so that one user can happily <code class="literal">cd</code>
         into another user's directory and execute <code class="literal">ls</code>, the UNIX security solution is to change file