So I recently discovered 'access base share enum', which is supposed to simply make shares invisible to users that don't have the permissions required to access them anyway, and thought it would be nice to implement it in my workgroup. Unfortunately, after much fumbling about on google, freenode, and eventually crawling through Samba's source myself, I've determined the option only applies to domains, and not to workgroups. With some additional googling and some hints from Davidh2k, I've managed a working, though incomplete workaround. Per Davidh2k's request I'm sharing what I've come up with so that it may help others, and possibly be refined a bit
OMV GUI steps needed:
Make shares this will apply to "browsable = no"
Add an extra option to each share of "include = /etc/samba/.browseable/ShareName.%U.conf" (ShareName must match the samba share name exactly. I haven't figured out a way to automate this and it's not a terribly large burden to do manually imho)
The heart of the matter is a version of /usr/share/openmediavault/mkconf/samba.d/20shares which I gutted and repurposed to generate the include files for each share and valid user. The new file is 99smurfy in the same directory. It can be named pretty much anything, as long as it's valid to run-parts, because it doesn't touch smb.conf in any manner anyway, so order doesn't matter.
It's ugly. It's not finished. My apologies. It does do its job though, save that it doesn't ensure deletion of files for users who have no permissions for the share (their usernames don't get passed into it). Deleting all of the files at the start of each pass is currently the only way I know of to do this properly, but I'm running on a crap USB stick and don't want excessive writes.
#!/bin/sh
#
# This file is part of OpenMediaVault.
#
# @license http://www.gnu.org/licenses/gpl.html GPL Version 3
# @author Volker Theile <volker.theile@openmediavault.org>
# @copyright Copyright (c) 2009-2015 Volker Theile
#
# OpenMediaVault is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# any later version.
#
# OpenMediaVault is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with OpenMediaVault. If not, see <http://www.gnu.org/licenses/>.
# Documentation/Howto:
# http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html#id2611892
# http://us5.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
# http://www.cyberciti.biz/tips/how-do-i-set-permissions-to-samba-shares.html
# http://oreilly.com/catalog/samba/chapter/book/ch06_02.html
# https://www.bsi.bund.de/ContentBSI/grundschutz/kataloge/m/m04/m04332.html
# http://www.redhat.com/advice/tips/sambatrash.html
# http://askubuntu.com/questions/258284/setting-up-an-anonymous-public-samba-share-to-be-accessed-via-windows-7-and-xbmc
# Hacked to bits by James Daniel (TechSmurf) to turn it into a script that writes small
# includable conf files for samba to simulate 'access based share enum' for workgroups
set -e
. /etc/default/openmediavault
. /usr/share/openmediavault/scripts/helper-functions
index=$(omv_config_get_count "//services/smb/shares/share")
while [ ${index} -gt 0 ]; do
# Get the UUID of the current share.
uuid=$(omv_config_get "//services/smb/shares/share[position()=${index}]/uuid")
# Process enabled shares.
enabled=$(omv_config_get "//services/smb/shares/share[uuid='${uuid}']/enable")
if [ "${enabled}" = "1" ]; then
# Get the shared folder reference and path
sfref=$(omv_config_get "//services/smb/shares/share[uuid='${uuid}']/sharedfolderref")
sfpath=$(omv_get_sharedfolder_path "${sfref}")
sharename=$(omv_config_get "//services/smb/shares/share[uuid='${uuid}']/name")
# Get shared folder user privileges
privileges=$(xmlstarlet sel -t -m "//system/shares/sharedfolder[uuid='${sfref}']/privileges/privilege[type='user']" \
-v "concat(perms,':',name)" -n \
${OMV_CONFIG_FILE} | xmlstarlet unesc)
IFS="$(printf '\n+')"
# echo $name, $uuid, $privileges
for privilege in ${privileges}; do
[ -z "${privilege}" ] && continue
perms=${privilege%:*}
name=${privilege#*:}
browsefile=/etc/samba/.browseable/$sharename.$name.conf
# Append user to list
case ${perms} in
0)
if [ -f $browsefile ]; then
rm $browsefile
fi
;;
5)
# echo $sharename.$name.conf "(user has read priv)"
if [ ! -f $browsefile ]; then
# echo Writing \"browseable = yes\" to $browsefile
echo "browseable = yes" > $browsefile
fi ;;
7)
# echo $sharename.$name.conf "(user has write priv)"
if [ ! -f $browsefile ]; then
# echo Writing \"browseable = yes\" to $browsefile
echo "browseable = yes" > $browsefile
fi ;;
esac
done
unset IFS
fi
index=$(( ${index} - 1 ))
done
Alles anzeigen