Posts: 6,622
Threads: 192
Joined: Apr 2018
Reputation:
271
I'm just being fussy. It seems to me that implementing a protected SMB access method should not include making it possible for anyone in possession of the SMB access credentials to establish a user session via SSH or the local console.
I salute "just scratching an itch". It often leads to a valuable valuable contribution to the codebase.
Regards,
Kent
Posts: 15
Threads: 1
Joined: Nov 2024
Reputation:
0
I fully agree it’s open or isn’t. It could be implemented with checkbox. Creates the new user moodeguest with the password moodeguest. Then executes smbpasswd with the same options. If the user switches it off execute the smbpasswd -x moodeguest to remove the access. Could add a username and password field. I can do some tests, I’m busy tomorrow but should have a spare bit of time the day after. From memory if you create a user then it does get ssh access, but not access to the sudoer group. I don’t know the ins and outs of the code base yet.
After that the only change is adding the admin users entry in smb.conf that can stay in there as it will apply to the users group and has no effect if off. After that it’s just removing the guest ok fields on the shares and restarting the service. Haven’t written any php in 14 odd years, bit rusty otherwise I’d knock you up something.
Posts: 15
Threads: 1
Joined: Nov 2024
Reputation:
0
I've been having a think and doing some tests. There is the more complete way and the quick and dirty way. When you create a user you do get remote access, this is however independent of the samba side as samba has its own password.
The more complete way is to:
Create a new group
groupadd smbusers
Create a new user without a home and it's default login is nologin in the group.
useradd -M -G smbusers -s /sbin/nologin moodeguest
Disable the new user so that it can't be used for login.
usermod -L -e 1970-01-01 moodeguest
Modify SSH to not allow SSH for that group (going a bit far now no console or ssh access)
Add the line in /etc/ssh/sshd_config
DenyGroups smbusers
Remove the guest access from samba
Comment out or remove in /etc/samba/smb.conf
From Global
#map to guest = Bad User
#guest account = root
From all shares
#guest ok = Yes
Add in to Global: This allows the read / write
admin users = @smbusers
Finely add the user to samaba
smbpasswd -a moodeguest
Then you set the password for the moodguest user.
If you were to create the account and password as moodeguest then in the UI when smb is turned on you just need to modify the text to tell the user the smb username and password. I quite like this method as the user doesn't need any more confusing options or settings. This is more complete so in the future if you did want to make it more NAS like where a user can create their own accounts it will work in the same way as the login and ssh are protected and accounts can be added and removed. Also with this method there is no need to even have the ssh user account or anything like that.
The quick and dirty way relies on the ssh account. That is already enabled and known, so the username (whatever it is sshuser?) would just need to be added to samba, the password can be different from ssh as they are independent.
In terms of implementation the changes in the UI are minimal, maybe the account creation and assigning it to samba could be put in to shell script to setup the account when smb is switched on?
Posts: 6,622
Threads: 192
Joined: Apr 2018
Reputation:
271
I'm away but this looks good to me. Glad to see you suggest creating a system account rather than normal user account.
It may wrankle others that the original password-less guest account is removed. Not really a problem, obviously, but they might think so.
Regards,
Kent
.
