samba - Oct 2010 - how to prevent copying programs on local harddisk from samba share

Hello

Ia have samba PDC 3.3.8-0.52.el5_5.2 on centos 5.5. My clients - win XP 
PRO SP3.

I have noticed that some users copy from sama share whole catalog with 
program and run it from local drive where they got full access.
Write access for This share [geo$] is only for @geo group! Others can't 
write . So they are workaround this !

How can I prevent copying programs from samba shares to a local drives 
and run it from there? It is any possibility to secure programs and run 
it from samba shares only ?

Please help!

[global]
        workgroup = geodezja
        server string = Samba Server %v
        interfaces = 10.10.10.0/255.255.255.0 127.0.0.1
        bind interfaces only = Yes

        update encrypted = Yes
        client ntlmv2 auth = yes
        log level = 2 vfs:3 auth:2 passdb:3
        log file = /var/log/samba/%U.%m.log
        max log size = 500
#PERFORMANCE
        socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
        read raw = yes
        write raw = yes
        max xmit = 65535
        large readwrite = yes

        add user script = /usr/sbin/useradd "%u" -n -g users
        add group script = /usr/sbin/groupadd "%g"
        add machine script = /usr/sbin/useradd -n -c "komputer (%u)"
-M -d
/nohome -s /bin/false "%u"
#       add machine script = /usr/sbin/useradd -g komputery -d /dev/null 
-s /bin/false -M "%u"


        logon script = %G.CMD

        logon path         logon home         domain logons = yes
        os level = 128
        preferred master = yes
        domain master = yes
        local master = yes
        remote browse sync = none
        remote announce = none
        dns proxy = No
        wins support = yes
        name resolve order = wins hosts bcast
        hosts allow = 10.10.10.0/255.255.255.0 127.0.0.1
        hosts deny = ALL
        security = user
        null passwords = no
        deadtime = 0
        map to guest = never
        create mask = 0777
        nt acl support = no
        time server = yes
        enable privileges = yes
        passdb backend = tdbsam
        username map = /etc/samba/smbusers
        hide dot files = yes
        guest ok = no
        name cache timeout = 60


[geo$]
        comment = Mapa
#       oplock = yes
#       level2oplocks = yes
#       locking = yes
        invalid users = @geodeta, at ewidencja,
        write list = +geo
        path = /home/samba/geo
        force group = geo
        force create mode = 0777
        vfs object = recycle full_audit
        recycle:repository = .recycle/%U
        recycle:touch = true
        recycle:keeptree = true
        recycle:versions = false
        recycle:exclude = *.TMP *.STP
        recycle:directory_mode = 773
        full_audit:prefix = %u|%m|%I|%S
        full_audit:success = read pwrite write rename unlink rmdir mkdir lock 
pread
        full_audit:failure = read write

> How can I prevent copying programs from samba shares to a local drives and
run it from there? It is any possibility to secure programs and run it from
samba shares only ?
This would need to be implemented on the client. As far as samba is concerned
there is no difference between copying a file and running it. I've never
used it myself, but Windows can be locked down to only run specific programs.

Out of curiosity, what does the program do that your users want to be able to
write to it?

Michael Heydon

I think you can restrict users of installing programs with policies but you
cannot restrict of running a executable which does no install at all  

-----------------------------------------------
EDV Daniel M?ller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 T?bingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------

-----Urspr?ngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
Im
Auftrag von Hubert Choma
Gesendet: Donnerstag, 14. Oktober 2010 08:48
An: samba
Betreff: [Samba] how to prevent copying programs on local harddisk from
samba share

Hello

Ia have samba PDC 3.3.8-0.52.el5_5.2 on centos 5.5. My clients - win XP 
PRO SP3.

I have noticed that some users copy from sama share whole catalog with 
program and run it from local drive where they got full access.
Write access for This share [geo$] is only for @geo group! Others can't 
write . So they are workaround this !

How can I prevent copying programs from samba shares to a local drives 
and run it from there? It is any possibility to secure programs and run 
it from samba shares only ?

Please help!

[global]
        workgroup = geodezja
        server string = Samba Server %v
        interfaces = 10.10.10.0/255.255.255.0 127.0.0.1
        bind interfaces only = Yes

        update encrypted = Yes
        client ntlmv2 auth = yes
        log level = 2 vfs:3 auth:2 passdb:3
        log file = /var/log/samba/%U.%m.log
        max log size = 500
#PERFORMANCE
        socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
        read raw = yes
        write raw = yes
        max xmit = 65535
        large readwrite = yes

        add user script = /usr/sbin/useradd "%u" -n -g users
        add group script = /usr/sbin/groupadd "%g"
        add machine script = /usr/sbin/useradd -n -c "komputer (%u)"
-M -d
/nohome -s /bin/false "%u"
#       add machine script = /usr/sbin/useradd -g komputery -d /dev/null 
-s /bin/false -M "%u"


        logon script = %G.CMD

        logon path         logon home         domain logons = yes
        os level = 128
        preferred master = yes
        domain master = yes
        local master = yes
        remote browse sync = none
        remote announce = none
        dns proxy = No
        wins support = yes
        name resolve order = wins hosts bcast
        hosts allow = 10.10.10.0/255.255.255.0 127.0.0.1
        hosts deny = ALL
        security = user
        null passwords = no
        deadtime = 0
        map to guest = never
        create mask = 0777
        nt acl support = no
        time server = yes
        enable privileges = yes
        passdb backend = tdbsam
        username map = /etc/samba/smbusers
        hide dot files = yes
        guest ok = no
        name cache timeout = 60


[geo$]
        comment = Mapa
#       oplock = yes
#       level2oplocks = yes
#       locking = yes
        invalid users = @geodeta, at ewidencja,
        write list = +geo
        path = /home/samba/geo
        force group = geo
        force create mode = 0777
        vfs object = recycle full_audit
        recycle:repository = .recycle/%U
        recycle:touch = true
        recycle:keeptree = true
        recycle:versions = false
        recycle:exclude = *.TMP *.STP
        recycle:directory_mode = 773
        full_audit:prefix = %u|%m|%I|%S
        full_audit:success = read pwrite write rename unlink rmdir mkdir
lock 
pread
        full_audit:failure = read write


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba