Creating a secure smb share

In another post I wrote how it would be nice to have a secure samba share. I had a quick play tonight to quickly see what was possible without too much effort.

I will write up the steps later, however, I want to summarize quickly what I done, along with the issues I encountered.

To do this I created a new linux group, user, and gave that user a password. At this stage SSH access was also possible with this new user, and they had their own home directory.

Then I initially wanted to create a folder in the /media directory, which already has AFPSDcard and sb1 directories. So I created a directory sb2 within /media, and I gave it rwx permissions for all users.

Then within /shares, I created a symbolic link Private pointing to /media/sb2.

Then I edited the /etc/samba/smb.conf file to include a new Private section, based on the Public section, with appropriate changes such as permitted users (the new user I created), and point to /media/sdb2.

I then also created a samba password for the new user.

Everything in theory should have worked. However, when I rebooted, I couldn’t map to the new share. Then when I looked inside the /media directory, the sdb2 directory was removed, and the Private symoblic link in /shares broken. It seems that the WD MPW deletes anything other than AFPSDcard and sdb1.

So instead, I then created a Private directory in /home/user_i_created, made this directory rwx and updated the Private symbolic link in /shares, and smb.conf file to point to /home/user_i_created/Private. Now everything works fine because the /home/user_i_created/Private directory is not removed after a reboot.

Ideally, I want to set up a “private” share which will be visible when I plug the WD MPW into a computer. This is why I tried initially putting my “Private” share within the /media directory. I wonder what process/script is removing the other files from the /media directory – any ideas ?

Also, I notice in the root of the drive there is a directory called DataVolume. It’s not a symbolic link, however it has the same content of /media/sdb1.

Interesting. I would presume there is indeed a process involved that checks the configuration for non-standard files or permissions. Otherwise it would be quite strange for the configuration to revert.

Regards,

Yeah. I dug a bit deeper. It seems the startup files in /etc/init.d do some checks. I think they then look at the mount config in mtab and fssd.

in /proc/self

more mounts

rootfs / rootfs rw 0 0
ubi0:rootfs / ubifs rw,relatime 0 0
devtmpfs /dev devtmpfs rw,relatime,size=256028k,nr_inodes=64007,mode=755 0 0
proc /proc proc rw,relatime 0 0
devpts /dev/pts devpts rw,relatime,gid=5,mode=620 0 0
tmpfs /dev/shm tmpfs rw,relatime,mode=777 0 0
tmpfs /tmp tmpfs rw,relatime,size=307200k 0 0
sysfs /sys sysfs rw,relatime 0 0
tmpfs /media tmpfs rw,relatime,size=512k 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
/dev/sda1 /media/sdb1 ufsd rw,relatime,fmask=0,dmask=0,nocase,force 0 0
/dev/sda1 /DataVolume ufsd rw,relatime,fmask=0,dmask=0,nocase,force 0 0
/dev/loop0 /media/sdb1/.wdcache/.wd-alert ufsd rw,relatime,nocase,force 0 0
/dev/sda1 /var/ftp/Public ufsd rw,relatime,fmask=0,dmask=0

more mtab

rootfs / rootfs rw 0 0
ubi0:rootfs / ubifs rw,relatime 0 0
devtmpfs /dev devtmpfs rw,relatime,size=256028k,nr_inodes=64007,mode=755 0 0
proc /proc proc rw,relatime 0 0
devpts /dev/pts devpts rw,relatime,gid=5,mode=620 0 0
tmpfs /dev/shm tmpfs rw,relatime,mode=777 0 0
tmpfs /tmp tmpfs rw,relatime,size=307200k 0 0
sysfs /sys sysfs rw,relatime 0 0
tmpfs /media tmpfs rw,relatime,size=512k 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
/dev/sda1 /media/sdb1 ufsd rw,relatime,fmask=0,dmask=0,nocase,force 0 0
/dev/sda1 /DataVolume ufsd rw,relatime,fmask=0,dmask=0,nocase,force 0 0
/dev/loop0 /media/sdb1/.wdcache/.wd-alert ufsd rw,relatime,nocase,force 0 0
/dev/sda1 /var/ftp/Public ufsd rw,relatime,fmask=0,dmask=0,nocase,force 0 0
avatar /sys/fs/cgroup cgroup rw,relatime,memory 0 0

Ideally I could change the file system tables, so that maybe /dev/sda1 is mounted to a new private directory in the root, called DataVolumePrivate, the set the Private symbolic link in /shares to /DataVolumePrivate, and update afp.conf (for apple) and smb.conf. However, I’m a bit rusty with fstab and mtab, so prefer not to brick my device :-)… I need to be eat up on file system tables, and mount points
,