opensuse 11.3 on the Linux box, Windows XP on another box both connected thru a Netgear router.
It’s been a couple of years since I was lucky enough to get swerdnas personal help setting up a previous system. But I’ve had to read through his tutorials again as the 1998 Maxtor system harddrive apparently achieved it’s meantime between failures and crashed. With those excellent resources I now again have my rebuilt Linux box sharing files with the Windows box. Nice!
Also the printer attached to the Windows box is now shared and I can print from Linux to the Windows shared printer. Excellent.
At this point tho I find that I’ve got 2 nagging issues that I need help resolving.
All users on the Windows box can navigate around and see all others user files. Indeed any user can pretty much see everything on this Windows box. At this point all the users are “admin” users and I’m thinking that may be the issue.
1.a. Do I need to reassign the “common users” to the alternate account type in Windows (“Limited” accounts)?
1.b. IF so then what do those users lose in terms of working with the system?
Same on the Linux system. All users on the Linux box can logon and see all the other’s /home folders.
How to I resolve a logged on user from being able to see the other user’s stuff?
I do have [homes] share enabled as I’d like to be able to access my own /home folder from the Windows workstation.
I know there are more details needed but rather than bloat the post with unwanted info, just let me know what I need to post to help resolve.
You can use: chmod og-rx $HOME
to stop others from seeing your files.
As root, you could also do:
cd /home
chmod og-rx *
to make that change for all users. But don’t be surprised if some users change it back. Personally, I make my home directory visible to all, and I restrict access only to places where I choose to restrict.
On Sun March 13 2011 11:36 pm, SomeSuSEUser wrote:
>
> opensuse 11.3 on the Linux box, Windows XP on another box both connected
> thru a Netgear router.
>
> It’s been a couple of years since I was lucky enough to get swerdnas
> personal help setting up a previous system. But I’ve had to read
> through his tutorials again as the 1998 Maxtor system harddrive
> apparently achieved it’s meantime between failures and crashed. With
> those excellent resources I now again have my rebuilt Linux box sharing
> files with the Windows box. Nice!
> Also the printer attached to the Windows box is now shared and I can
> print from Linux to the Windows shared printer. Excellent.
>
> At this point tho I find that I’ve got 2 nagging issues that I need
> help resolving.
> 1. All users on the Windows box can navigate around and see all others
> user files. Indeed any user can pretty much see everything on this
> Windows box. At this point all the users are “admin” users and I’m
> thinking that may be the issue.
> 1.a. Do I need to reassign the “common users” to the alternate
> account type in Windows (“Limited” accounts)?
> 1.b. IF so then what do those users lose in terms of working with
> the system?
>
> 2. Same on the Linux system. All users on the Linux box can logon and
> see all the other’s /home folders.
>
> How to I resolve a logged on user from being able to see the other
> user’s stuff?
>
> I do have [homes] share enabled as I’d like to be able to access my own
> /home folder from the Windows workstation.
>
> I know there are more details needed but rather than bloat the post
> with unwanted info, just let me know what I need to post to help
> resolve.
>
> Thanks!
>
>
SomeSuSeUser;
Please post the contents of /etc/samba/smb.conf. You can conceal any
confidential information such as public IP’s or Domain names with substitute
values.
P. V.
“We’re all in this together, I’m pulling for you.” Red Green
On 2011-03-14 05:36, SomeSuSEUser wrote:
> 1.a. Do I need to reassign the “common users” to the alternate
> account type in Windows (“Limited” accounts)?
IMO, yes.
> 1.b. IF so then what do those users lose in terms of working with
> the system?
Nothing.
Nothing that they should be able to do, like installing hardware or
software, because that is your job and prerogative, not theirs.
–
Cheers / Saludos,
Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)
Please post the contents of /etc/samba/smb.conf. You can conceal any
confidential information such as public IP’s or Domain names with substitute
values.
P. V.
Thanks P.V. I think you helped me set this up the first time w/ swerdna… here’s what I have:
[global]
workgroup = JeepNet
netbios name = Popeye
name resolve order = bcast host lmhosts wins
local master = yes
preferred master = yes
os level = 65
passdb backend = tdbsam
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
load printers = yes
use client driver = yes
map to guest = Bad User
server string = “”
include = /etc/samba/dhcp.conf
logon path = \%L\profiles.msprofile
logon home = \%L%U.9xprofile
logon drive = P:
usershare allow guests = Yes
wins support = No
ldap suffix =
wins server =
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
Share disabled by YaST
[profiles]
comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
Share disabled by YaST
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[SharedFiles]
comment = common shared files
path = /home/Shared/
read only = No
force user = JeepNut
valid users = JeepNut Lazy58
inherit acls = Yes
[SharedMovies]
comment = Movies
path = /home/JeepNut/Media/Movies/
read only = Yes
write list = JeepNut
inherit acls = Yes
[SharedMusic]
comment = Music & more
path = /home/JeepNut/Media/Music_&_Sounds/
read only = Yes
write list = JeepNut
inherit acls = Yes
[SharedPictures]
comment = Pictures
path = /home/JeepNut/Pictures/
read only = Yes
write list = JeepNut
inherit acls = Yes
[SharedVideos]
comment = Music Videos, Youtube, TV Shows, etc.
path = /home/JeepNut/Media/Videos/
read only = Yes
write list = JeepNut
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0700
browseable = No
guest ok = Yes
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775
On Mon March 14 2011 02:36 pm, SomeSuSEUser wrote:
>
> Please post the contents of /etc/samba/smb.conf. You can conceal any
> confidential information such as public IP’s or Domain names with
> substitute
> values.
> –
> P. V.
>
> Thanks P.V. I think you helped me set this up the first time w/
> swerdna… here’s what I have:
> [global]
> workgroup = JeepNet
> netbios name = Popeye
> name resolve order = bcast host lmhosts wins
> local master = yes
> preferred master = yes
> os level = 65
> passdb backend = tdbsam
> printing = cups
> printcap name = cups
> printcap cache time = 750
> cups options = raw
> load printers = yes
> use client driver = yes
> map to guest = Bad User
> server string = “”
> include = /etc/samba/dhcp.conf
> # logon path = \%L\profiles.msprofile
> # logon home = \%L%U.9xprofile
> # logon drive = P:
> # usershare allow guests = Yes
> wins support = No
> ldap suffix =
> wins server =
>
> [homes]
> comment = Home Directories
> valid users = %S, %D%w%S
> browseable = No
> read only = No
> inherit acls = Yes
>
> ## Share disabled by YaST
> # [profiles]
> # comment = Network Profiles Service
> # path = %H
> # read only = No
> # store dos attributes = Yes
> # create mask = 0600
> # directory mask = 0700
>
> ## Share disabled by YaST
> # [users]
> # comment = All users
> # path = /home
> # read only = No
> # inherit acls = Yes
> # veto files = /aquota.user/groups/shares/
>
> [SharedFiles]
> comment = common shared files
> path = /home/Shared/
> read only = No
> force user = JeepNut
> valid users = JeepNut Lazy58
> inherit acls = Yes
>
> [SharedMovies]
> comment = Movies
> path = /home/JeepNut/Media/Movies/
> read only = Yes
> write list = JeepNut
> inherit acls = Yes
>
> [SharedMusic]
> comment = Music & more
> path = /home/JeepNut/Media/Music_&_Sounds/
> read only = Yes
> write list = JeepNut
> inherit acls = Yes
>
> [SharedPictures]
> comment = Pictures
> path = /home/JeepNut/Pictures/
> read only = Yes
> write list = JeepNut
> inherit acls = Yes
>
> [SharedVideos]
> comment = Music Videos, Youtube, TV Shows, etc.
> path = /home/JeepNut/Media/Videos/
> read only = Yes
> write list = JeepNut
> inherit acls = Yes
>
> [printers]
> comment = All Printers
> path = /var/tmp
> printable = Yes
> create mask = 0700
> browseable = No
> guest ok = Yes
>
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/drivers
> write list = @ntadmin root
> force group = ntadmin
> create mask = 0664
> directory mask = 0775
>
>
SomeSuSEUser;
I don’t see any problems here. So let me try to get a better handle on this.
If you connect to your opensuse 11.3 machine from a windows or Samba client,
can you see anyone else’s home directory ( other than your own)?
If you connect to a windows machine from another machine ( Linux or Windows)
do you see any files not shared? It is normal that any shared file is
visible to Everyone.
When you logon to opensuse as an ordinary user can you see the contents of
other users /home directory? If yes this is a permission problem on /home.
See the post by nrickert. Just Google “Linux permissions” for lots of
information on setting permissions.
In windows, any user in the Administrative group has permissions for all
files. Much like the Linux root user. To limit the access of users to
others files on the Windows machine they must be in “Limited accounts”.
Windows security increases considerably if users have a limited account and
not an Administrator account. We insist on it for all Windows users. As
most windows users are accustom to installing software “willy nilly” they
often complain about this (particularly teenagers). Just eat a can of spinach
and hold firm. You will have a lot less malware on the user’s machines.
P.S. I recall Popeye and JeepNut.
P. V.
“We’re all in this together, I’m pulling for you.” Red Green
Now Lazy58 logged in and working from the Windows box can browse all files in the /home/Shared folder on the Linux box and can browse /home/Lazy58 folders on the Linux box but are restricted from any other folders.
Close but still not good as there are folders stored under /home/JeepNut on the Linux box that I set up, intending to share. But just those folders, not everything under /home/JeepNut.
The same condition exists for Lazy58 when logged onto the Linux box. Can browse all files in the /home/Shared folder on the Linux box and can browse /home/Lazy58 folders on the Linux box but are restricted from any other folders. Including restriced from the random shared folders under /home/JeepNut.
On Tue March 22 2011 11:06 pm, SomeSuSEUser wrote:
>
> venzkep;2304664 Wrote:
>> On Mon March 14 2011 02:36 pm,
>> SomeSuSEUser;
>> I don’t see any problems here. So let me try to get a better handle
>> on this.
>>
>> If you connect to your opensuse 11.3 machine from a windows or Samba
>> client,
>> can you see anyone else’s home directory ( other than your own)?
>> Ans: No.
>>
>> If you connect to a windows machine from another machine ( Linux or
>> Windows)
>> do you see any files not shared? It is normal that any shared file is
>> visible to Everyone.
>> Ans: Don’t see any files on Windows box. Haven’t attempted to
>> share that direction.
>>
>> When you logon to opensuse as an ordinary user can you see the contents
>> of
>> other users /home directory? If yes this is a permission problem on
>> /home.
>> See the post by nrickert. Just Google “Linux permissions” for lots of
>> information on setting permissions.
>> Ans: No, but see below.
>>
>> In windows, any user in the Administrative group has permissions for
>> all
>> files. Much like the Linux root user. To limit the access of users to
>> others files on the Windows machine they must be in “Limited accounts”.
>>
>> Windows security increases considerably if users have a limited account
>> and
>> not an Administrator account…
>> Ans. Understood, this is no longer an issue.
>>
>
> @ both robin_listas and venzkep
> In answer I have edited the above considering the following permissions
> structure:
>
> /home/JeepNut drwx------
> /home/Lazy58 drwx------
> /home/Shared drwxrwx—T
>
> Now Lazy58 logged in and working from the Windows box can browse all
> files in the /home/Shared folder on the Linux box and can browse
> /home/Lazy58 folders on the Linux box but are restricted from any other
> folders.
> Close but still not good as there are folders stored under
> /home/JeepNut on the Linux box that I set up, intending to share. But
> just those folders, not everything under /home/JeepNut.
>
> The same condition exists for Lazy58 when logged onto the Linux box.
> Can browse all files in the /home/Shared folder on the Linux box and can
> browse /home/Lazy58 folders on the Linux box but are restricted from any
> other folders. Including restriced from the random shared folders under
> /home/JeepNut.
>
>
SomeSuSEUser;
However, I think you would be ahead to just rethink the location of the files
you wish to share and place them in a folder outside your own home directory.
If you do not want to use the extra disk space, you could just use links to
point to the actual files.
There is one additional consideration here, using links. By default Samba
will not follow links in a share but you can place this in the share section
of /etc/samba/smb.conf to allow the server to follow links.
wide links = yes
Enabling “wide links” has certain security concerns, hence you should read the
section of man smb.conf on “wide links”.
P. V.
“We’re all in this together, I’m pulling for you.” Red Green
I’ll call this solved.
Wide Links didn’t seem like what I wanted.
So I have restructured my file layouts as suggested and this seems really to be the best solution.