Hubert Choma
2010-Oct-14 06:48 UTC
[Samba] how to prevent copying programs on local harddisk from samba share
Hello
Ia have samba PDC 3.3.8-0.52.el5_5.2 on centos 5.5. My clients - win XP
PRO SP3.
I have noticed that some users copy from sama share whole catalog with
program and run it from local drive where they got full access.
Write access for This share [geo$] is only for @geo group! Others can't
write . So they are workaround this !
How can I prevent copying programs from samba shares to a local drives
and run it from there? It is any possibility to secure programs and run
it from samba shares only ?
Please help!
[global]
workgroup = geodezja
server string = Samba Server %v
interfaces = 10.10.10.0/255.255.255.0 127.0.0.1
bind interfaces only = Yes
update encrypted = Yes
client ntlmv2 auth = yes
log level = 2 vfs:3 auth:2 passdb:3
log file = /var/log/samba/%U.%m.log
max log size = 500
#PERFORMANCE
socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
read raw = yes
write raw = yes
max xmit = 65535
large readwrite = yes
add user script = /usr/sbin/useradd "%u" -n -g users
add group script = /usr/sbin/groupadd "%g"
add machine script = /usr/sbin/useradd -n -c "komputer (%u)"
-M -d
/nohome -s /bin/false "%u"
# add machine script = /usr/sbin/useradd -g komputery -d /dev/null
-s /bin/false -M "%u"
logon script = %G.CMD
logon path logon home domain logons = yes
os level = 128
preferred master = yes
domain master = yes
local master = yes
remote browse sync = none
remote announce = none
dns proxy = No
wins support = yes
name resolve order = wins hosts bcast
hosts allow = 10.10.10.0/255.255.255.0 127.0.0.1
hosts deny = ALL
security = user
null passwords = no
deadtime = 0
map to guest = never
create mask = 0777
nt acl support = no
time server = yes
enable privileges = yes
passdb backend = tdbsam
username map = /etc/samba/smbusers
hide dot files = yes
guest ok = no
name cache timeout = 60
[geo$]
comment = Mapa
# oplock = yes
# level2oplocks = yes
# locking = yes
invalid users = @geodeta, at ewidencja,
write list = +geo
path = /home/samba/geo
force group = geo
force create mode = 0777
vfs object = recycle full_audit
recycle:repository = .recycle/%U
recycle:touch = true
recycle:keeptree = true
recycle:versions = false
recycle:exclude = *.TMP *.STP
recycle:directory_mode = 773
full_audit:prefix = %u|%m|%I|%S
full_audit:success = read pwrite write rename unlink rmdir mkdir lock
pread
full_audit:failure = read write
Michael Heydon
2010-Oct-14 07:02 UTC
[Samba] how to prevent copying programs on local harddisk from samba share
> How can I prevent copying programs from samba shares to a local drives and run it from there? It is any possibility to secure programs and run it from samba shares only ?This would need to be implemented on the client. As far as samba is concerned there is no difference between copying a file and running it. I've never used it myself, but Windows can be locked down to only run specific programs. Out of curiosity, what does the program do that your users want to be able to write to it? Michael Heydon
Daniel Müller
2010-Oct-14 08:19 UTC
[Samba] how to prevent copying programs on local harddisk from samba share
I think you can restrict users of installing programs with policies but you
cannot restrict of running a executable which does no install at all
-----------------------------------------------
EDV Daniel M?ller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 T?bingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------
-----Urspr?ngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
Im
Auftrag von Hubert Choma
Gesendet: Donnerstag, 14. Oktober 2010 08:48
An: samba
Betreff: [Samba] how to prevent copying programs on local harddisk from
samba share
Hello
Ia have samba PDC 3.3.8-0.52.el5_5.2 on centos 5.5. My clients - win XP
PRO SP3.
I have noticed that some users copy from sama share whole catalog with
program and run it from local drive where they got full access.
Write access for This share [geo$] is only for @geo group! Others can't
write . So they are workaround this !
How can I prevent copying programs from samba shares to a local drives
and run it from there? It is any possibility to secure programs and run
it from samba shares only ?
Please help!
[global]
workgroup = geodezja
server string = Samba Server %v
interfaces = 10.10.10.0/255.255.255.0 127.0.0.1
bind interfaces only = Yes
update encrypted = Yes
client ntlmv2 auth = yes
log level = 2 vfs:3 auth:2 passdb:3
log file = /var/log/samba/%U.%m.log
max log size = 500
#PERFORMANCE
socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
read raw = yes
write raw = yes
max xmit = 65535
large readwrite = yes
add user script = /usr/sbin/useradd "%u" -n -g users
add group script = /usr/sbin/groupadd "%g"
add machine script = /usr/sbin/useradd -n -c "komputer (%u)"
-M -d
/nohome -s /bin/false "%u"
# add machine script = /usr/sbin/useradd -g komputery -d /dev/null
-s /bin/false -M "%u"
logon script = %G.CMD
logon path logon home domain logons = yes
os level = 128
preferred master = yes
domain master = yes
local master = yes
remote browse sync = none
remote announce = none
dns proxy = No
wins support = yes
name resolve order = wins hosts bcast
hosts allow = 10.10.10.0/255.255.255.0 127.0.0.1
hosts deny = ALL
security = user
null passwords = no
deadtime = 0
map to guest = never
create mask = 0777
nt acl support = no
time server = yes
enable privileges = yes
passdb backend = tdbsam
username map = /etc/samba/smbusers
hide dot files = yes
guest ok = no
name cache timeout = 60
[geo$]
comment = Mapa
# oplock = yes
# level2oplocks = yes
# locking = yes
invalid users = @geodeta, at ewidencja,
write list = +geo
path = /home/samba/geo
force group = geo
force create mode = 0777
vfs object = recycle full_audit
recycle:repository = .recycle/%U
recycle:touch = true
recycle:keeptree = true
recycle:versions = false
recycle:exclude = *.TMP *.STP
recycle:directory_mode = 773
full_audit:prefix = %u|%m|%I|%S
full_audit:success = read pwrite write rename unlink rmdir mkdir
lock
pread
full_audit:failure = read write
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba