Samba 'access based share enum' workaround for workgroups (Hide shares that users don't have access to)

    • Samba 'access based share enum' workaround for workgroups (Hide shares that users don't have access to)

      So I recently discovered 'access base share enum', which is supposed to simply make shares invisible to users that don't have the permissions required to access them anyway, and thought it would be nice to implement it in my workgroup. Unfortunately, after much fumbling about on google, freenode, and eventually crawling through Samba's source myself, I've determined the option only applies to domains, and not to workgroups. With some additional googling and some hints from Davidh2k, I've managed a working, though incomplete workaround. Per Davidh2k's request I'm sharing what I've come up with so that it may help others, and possibly be refined a bit ;)

      OMV GUI steps needed:
      Make shares this will apply to "browsable = no"
      Add an extra option to each share of "include = /etc/samba/.browseable/ShareName.%U.conf" (ShareName must match the samba share name exactly. I haven't figured out a way to automate this and it's not a terribly large burden to do manually imho)

      The heart of the matter is a version of /usr/share/openmediavault/mkconf/samba.d/20shares which I gutted and repurposed to generate the include files for each share and valid user. The new file is 99smurfy in the same directory. It can be named pretty much anything, as long as it's valid to run-parts, because it doesn't touch smb.conf in any manner anyway, so order doesn't matter.

      It's ugly. It's not finished. My apologies. It does do its job though, save that it doesn't ensure deletion of files for users who have no permissions for the share (their usernames don't get passed into it). Deleting all of the files at the start of each pass is currently the only way I know of to do this properly, but I'm running on a crap USB stick and don't want excessive writes.

      Shell-Script

      1. #!/bin/sh
      2. #
      3. # This file is part of OpenMediaVault.
      4. #
      5. # @license http://www.gnu.org/licenses/gpl.html GPL Version 3
      6. # @author Volker Theile <volker.theile@openmediavault.org>
      7. # @copyright Copyright (c) 2009-2015 Volker Theile
      8. #
      9. # OpenMediaVault is free software: you can redistribute it and/or modify
      10. # it under the terms of the GNU General Public License as published by
      11. # the Free Software Foundation, either version 3 of the License, or
      12. # any later version.
      13. #
      14. # OpenMediaVault is distributed in the hope that it will be useful,
      15. # but WITHOUT ANY WARRANTY; without even the implied warranty of
      16. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
      17. # GNU General Public License for more details.
      18. #
      19. # You should have received a copy of the GNU General Public License
      20. # along with OpenMediaVault. If not, see <http://www.gnu.org/licenses/>.
      21. # Documentation/Howto:
      22. # http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html#id2611892
      23. # http://us5.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
      24. # http://www.cyberciti.biz/tips/how-do-i-set-permissions-to-samba-shares.html
      25. # http://oreilly.com/catalog/samba/chapter/book/ch06_02.html
      26. # https://www.bsi.bund.de/ContentBSI/grundschutz/kataloge/m/m04/m04332.html
      27. # http://www.redhat.com/advice/tips/sambatrash.html
      28. # http://askubuntu.com/questions/258284/setting-up-an-anonymous-public-samba-share-to-be-accessed-via-windows-7-and-xbmc
      29. # Hacked to bits by James Daniel (TechSmurf) to turn it into a script that writes small
      30. # includable conf files for samba to simulate 'access based share enum' for workgroups
      31. set -e
      32. . /etc/default/openmediavault
      33. . /usr/share/openmediavault/scripts/helper-functions
      34. index=$(omv_config_get_count "//services/smb/shares/share")
      35. while [ ${index} -gt 0 ]; do
      36. # Get the UUID of the current share.
      37. uuid=$(omv_config_get "//services/smb/shares/share[position()=${index}]/uuid")
      38. # Process enabled shares.
      39. enabled=$(omv_config_get "//services/smb/shares/share[uuid='${uuid}']/enable")
      40. if [ "${enabled}" = "1" ]; then
      41. # Get the shared folder reference and path
      42. sfref=$(omv_config_get "//services/smb/shares/share[uuid='${uuid}']/sharedfolderref")
      43. sfpath=$(omv_get_sharedfolder_path "${sfref}")
      44. sharename=$(omv_config_get "//services/smb/shares/share[uuid='${uuid}']/name")
      45. # Get shared folder user privileges
      46. privileges=$(xmlstarlet sel -t -m "//system/shares/sharedfolder[uuid='${sfref}']/privileges/privilege[type='user']" \
      47. -v "concat(perms,':',name)" -n \
      48. ${OMV_CONFIG_FILE} | xmlstarlet unesc)
      49. IFS="$(printf '\n+')"
      50. # echo $name, $uuid, $privileges
      51. for privilege in ${privileges}; do
      52. [ -z "${privilege}" ] && continue
      53. perms=${privilege%:*}
      54. name=${privilege#*:}
      55. browsefile=/etc/samba/.browseable/$sharename.$name.conf
      56. # Append user to list
      57. case ${perms} in
      58. 0)
      59. if [ -f $browsefile ]; then
      60. rm $browsefile
      61. fi
      62. ;;
      63. 5)
      64. # echo $sharename.$name.conf "(user has read priv)"
      65. if [ ! -f $browsefile ]; then
      66. # echo Writing \"browseable = yes\" to $browsefile
      67. echo "browseable = yes" > $browsefile
      68. fi ;;
      69. 7)
      70. # echo $sharename.$name.conf "(user has write priv)"
      71. if [ ! -f $browsefile ]; then
      72. # echo Writing \"browseable = yes\" to $browsefile
      73. echo "browseable = yes" > $browsefile
      74. fi ;;
      75. esac
      76. done
      77. unset IFS
      78. fi
      79. index=$(( ${index} - 1 ))
      80. done
      Display All