veto files question - SMB

This is a discussion on veto files question - SMB ; Right to the point: veto files = /etc/passwd/dev/.?*/ will not allow sharing /etc, passwd, /dev or any files starting with a dot. My question is how do I 'veto' everything 'except for'? Let's say I have many files and directories ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: veto files question

  1. veto files question

    Right to the point:

    veto files = /etc/passwd/dev/.?*/

    will not allow sharing /etc, passwd, /dev or any files starting with a
    dot. My question is how do I 'veto' everything 'except for'?

    Let's say I have many files and directories on the UNIX side which I
    want to share to W2K systems but I only want to allow them to see/read
    one or two files?

    Thanks.

    --
    __ _
    / / (_)__ __ ____ __ --==[bman]==--
    / /__/ / _ \/ // /\ \ / |
    /____/_/_//_/\_,_//_\_\ Life is what you make of it...



  2. Re: veto files question

    Hi,

    > Let's say I have many files and directories on the UNIX side which I
    > want to share to W2K systems but I only want to allow them to see/read
    > one or two files?


    Its a hack, but can you create a directory, share it and then put symlinks
    to the files that you want to share in the directory?
    If there are only a small number, this would work.
    What are you counting as small?
    What are you trying to achieve on a higher level? - Why are you sharing /etc
    anyway?


    Regards,
    @ndy

    --
    andyjpb@ashurst.eu.org
    http://www.ashurst.eu.org/
    0x7EBA75FF




  3. Re: veto files question

    Hi,

    > > Let's say I have many files and directories on the UNIX side which I
    > > want to share to W2K systems but I only want to allow them to see/read
    > > one or two files?


    Eeeek... Sorry for replying to myself.
    Just remembered that there is an option that you can pass in smb.conf that
    will hide unreadable files. - Just change the unix permissions so that the
    files are unreadable, set "hide unreadable" and it should work.



    Regards,
    @ndy

    --
    andyjpb@ashurst.eu.org
    http://www.ashurst.eu.org/
    0x7EBA75FF




  4. Re: veto files question

    Hi Andy,

    I am not sharing /etc. What I am saying is:

    veto files = /etc/passwd/dev/.?*/

    which is do not allow sharing either /etc, passwd, /dev or any other
    file that begins with a period. The reason why I have it here is so
    users who want to play games with me by symlinking them to their home
    directories, will not be able to view them via the SAMBA share (I do not
    allow ftp). I disabled .?* mostly for my users' own protection (in case
    they got an idea of editing .profile or other UNIX configuration files
    using Microsoft Notepad or something).

    Andy Bennett wrote:

    >Hi,
    >
    >
    >
    >>Let's say I have many files and directories on the UNIX side which I
    >>want to share to W2K systems but I only want to allow them to see/read
    >>one or two files?
    >>
    >>

    >
    >Its a hack, but can you create a directory, share it and then put symlinks
    >to the files that you want to share in the directory?
    >

    Hmm. Interesting approach. However it will not work in my case. The
    user getting to the share will also have to remove that one particular
    file once his/her process is done. It would seem logical to me that if
    we have an option to 'veto' a single or a list of files, why not to veto
    the other way around: deny everything and then, allow what you want.
    This would make a perfect sense to me but I am not sure what would have
    to be involved to implement this feature in the current implementation
    of samba....

    >If there are only a small number, this would work.
    >What are you counting as small?
    >What are you trying to achieve on a higher level? - Why are you sharing /etc
    >anyway?
    >

    Reply to this question is in the first paragraph. In a nutshell, there
    are UNIX batch jobs that generate some output which is dumped into this
    one directory. After the output is produced, another job was picking it
    up and uploading it via ftp to a Windows machine. SAMBA solution is
    perfect for this. But because the directory this particular file is
    dumped to is shared by other jobs, I do not want them to see anything
    else in that directory on the Windows side but their own stuff. veto
    files is a great idea. I just hope that SAMBA team can take it to its
    logical next level: deny everything and allow only what you want....

    >
    >
    >Regards,
    >@ndy
    >
    >--
    >andyjpb@ashurst.eu.org
    >http://www.ashurst.eu.org/
    >0x7EBA75FF
    >
    >
    >
    >
    >


    --
    __ _
    / / (_)__ __ ____ __
    / /__/ / _ \/ // /\ \ /
    /____/_/_//_/\_,_//_\_\ Life is what you make of it...



  5. Re: veto files question

    Hi,

    > The reason why I have it here is so
    > users who want to play games with me by symlinking them to their home
    > directories


    IIRC there is an option that you can specify in smb.conf that prevents samba
    from following "wide" symlinks. - That will prevent this kind of thing.


    Regards,
    @ndy

    --
    andyjpb@ashurst.eu.org
    http://www.ashurst.eu.org/
    0x7EBA75FF




  6. Re: veto files question

    Hi Andy,

    I know about 'wide links' option but life is not black and white. I
    need the ability of symlinking (wide links) but without /etc, passwd,
    /dev, .?*, in short, anything that would might compromise the system in
    any way... ;-)

    I am still, however, interested if it is possible at all to first, deny
    all and then, allow only what I wish to allow. From the responses I am
    getting, however, it seems to me that at the current stage it is rather
    not possible....

    Thanks Andy.

    Andy Bennett wrote:

    >Hi,
    >
    >
    >
    >>The reason why I have it here is so
    >>users who want to play games with me by symlinking them to their home
    >>directories
    >>
    >>

    >
    >IIRC there is an option that you can specify in smb.conf that prevents samba
    >from following "wide" symlinks. - That will prevent this kind of thing.
    >
    >
    >Regards,
    >@ndy
    >
    >--
    >andyjpb@ashurst.eu.org
    >http://www.ashurst.eu.org/
    >0x7EBA75FF
    >
    >
    >
    >
    >


    --
    __ _
    / / (_)__ __ ____ __
    / /__/ / _ \/ // /\ \ /
    /____/_/_//_/\_,_//_\_\ Life is what you make of it...



+ Reply to Thread