Samba, the implementation of Windows [Personal Computer or PC] type file sharing on Unix type machines, is a classic example of ‘east meets west’ in security models. Unix was always designed as multi-user and it has a clear separation between users and the computer. In the PC world, the culture started out as assuming the user owned the machine and everything connected to it.
For Unix based machines, connecting to a network simply extended its security model to a ‘network is the computer’ idea. In the PC world, it was a case of needing to address a new concern – that of distinguishing self from other. Logins came to the PC and, with that, a whole raft of options and ideas about how to control who could do what.
If security isn’t an issue, permission to do things to files and devices on the network isn’t much of a problem. Just leave the doors open. In Unix systems this means keeping the ‘everyone’ permissions wide open for each file or device. In the PC world, it means setting up shares without conditions. Even then problems can occur when trying to cross the divide.
For instance, it is a common problem when using rsync to backup a Linux file system to a CIFS (PC) share. That share is usually mounted on the Linux system at a point owned by the root user. It may be set wide open but that isn’t the whole story. If you try to run rsync as a non-root user, you might encounter errors that say you do no have permission to set certain attributes. To get around these errors, you have to either run rsync as root or to mount the CIFS share to a mount point you, rather than root, own.
Another common issue in blending Unix and PC security models is that of adding Unix ideas to the PC shares. These often have to to with the user and group identification method used in Unix systems. These ‘Unix extensions’ can mean that the PC share pays attention to Unix user and group ID numbers used to control file permissions in Unix systems. If the Unix clients trying to access the PC shares do not have carefully planned user and group ID numbers used consistently throughout the network, users can have problems when a mismatch causes permission problems. This is why the CIFS filesystem in Linux has options such as nounix, noperms, and so on.
Another method to turn off these Unix extensions to PC share features is to command “sudo echo 0 > /proc/fs/cifs/LinuxExtensionsEnabled” which changes a CIFS parameter. You may need to “sudo modprobe cifs” in order to start the module and get the proc variables established.
There is a lot more to this story …
Post a Comment