12.3 Share Definition Access Controls | The Official Samba-3 HOWTO and Reference Guide, 2nd Edition

The following parameters in the smb.conf file sections define a share control or effect access controls. Before using any of the following options, please refer to the man page for smb.conf .

12.3.1 User and Group -Based Controls

User and group-based controls can prove quite useful. In some situations it is distinctly desirable to affect all file system operations as if a single user were doing so. The use of the force user and force group behavior will achieve this. In other situations it may be necessary to effect a paranoia level of control to ensure that only particular authorized persons will be able to access a share or its contents. Here the use of the valid users or the invalid users may be most useful.

As always, it is highly advisable to use the least difficult to maintain and the least ambiguous method for controlling access. Remember, when you leave the scene someone else will need to provide assistance and if he finds too great a mess or does not understand what you have done, there is risk of Samba being removed and an alternative solution being adopted.

Table 12.2 enumerates these controls.

Table 12.2. User and Group Based Controls

Control Parameter	Description - Action - Notes
`admin users`	List of users who will be granted administrative privileges on the share. They will do all file operations as the super-user (root). Any user in this list will be able to do anything they like on the share, irrespective of file permissions.
`force group`	Specifies a UNIX group name that will be assigned as the default primary group for all users connecting to this service.
`force user`	Specifies a UNIX user name that will be assigned as the default user for all users connecting to this service. This is useful for sharing files. Incorrect use can cause security problems.
`guest ok`	If this parameter is set for a service, then no password is required to connect to the service. Privileges will be those of the guest account.
`invalid users`	List of users that should not be allowed to login to this service.
`only user`	Controls whether connections with usernames not in the user list will be allowed.
`read list`	List of users that are given read-only access to a service. Users in this list will not be given write access, no matter what the read only option is set to.
`username`	Refer to the `smb.conf` man page for more information “ this is a complex and potentially misused parameter.
`valid users`	List of users that should be allowed to login to this service.
`write list`	List of users that are given read-write access to a service.

12.3.2 File and Directory Permissions-Based Controls

The following file and directory permission-based controls, if misused, can result in considerable difficulty to diagnose causes of misconfiguration. Use them sparingly and carefully . By gradually introducing each one by one, undesirable side effects may be detected . In the event of a problem, always comment all of them out and then gradually reintroduce them in a controlled way.

Refer to Table 12.3 for information regarding the parameters that may be used to affect file and directory permission-based access controls.

12.3.3 Miscellaneous Controls

The following are documented because of the prevalence of administrators creating inadvertent barriers to file access by not understanding the full implications of smb.conf file settings. See Table 12.4.