Basic network access: servers
/etc/exports
A number of security implications are associated with NFS. Without some kind of authentication, you could mount any file system on the Internet. As a result, the security one file system per line.
NFS was developed at a time when users were relatively trusted. precautions are not overly sophisticated. /etc/exports describes the format is:
file system options systems
systems is a list of systems allowed to mount the file system. The only required field is the name of the file system, but if you're on the Internet, you should at least limit the number of systems that can mount your file systems. By default any system on the Net can mount your file systems.
There are a number of options. Here are the more important ones:
- The -maproot option describes how to treat root. By default, root does not have special privileges on the remote system. Instead, NFS changes the user ID to user nobody, which is user 65534 (or -2). You can change this with the -maproot option. For example, to map root to the real root user for a specific file system, you would add -maproot=0 to the line describing the file system.
- The -mapall option maps the user IDs of other users. This is relatively uncommon. See the man page exports(5) for more details.
- The -ro option restricts access to read-only.
- The –network option restricts the access to systems on the specified network.
- The -alldirs option allows remote clients to mount any directory in the file system directly. Without this option, remote clients can only mount the root directory of the exported file system. We'll see an example where -alldirs can be of use during the discussion of diskless booting on page 543.
If you come from a System V background, you'll notice that the mechanism is different. /etc/exports corresponds in concept roughly to System V's /etc/dfs/dfstab file, except that the share statement does not exist.
Updating /etc/exports
To grant access to a file system, it's not enough to change the contents of /etc/exports: you also need to tell mountd that you have done so. You do this by the relatively common method of sending a hang up signal (SIGHUP) to mountd:
# killall -HUP mountd
A typical /etc/exports for presto might be:
/ -maproot=0 presto bumble wait gw /usr -maproot=0 -alldirs -network 223.147.37.0
This allows root access to both file systems. Only the trusted systems presto, bumble, wait and gw are allowed to access the root file system, whereas any system on the local network may access /usr. Remote systems may mount any directory on the /usr file system directly.
Samba
BSD UNIX and the Internet grew up together, but it took other vendors a long time to accept the Internet Protocols. In that time, a number of other protocols arose. We've already mentioned X.25 and SNA, currently both not supported by FreeBSD. The protocols that grew up in the DOS world are more widespread, in particular Novell's IPX and Microsoft's Common Internet File System, or CIFS. CIFS was previously known as SMB (Server Message Block).
IPX support is relatively rudimentary. FreeBSD includes an IPX routing daemon, IPXrouted. See the man page IPXrouted(8) for further information. IPX is going out of use, so it's unlikely that support for it will improve. By contrast, Microsoft's CIFS is still alive and kicking. In the rest of this chapter we'll look at the standard implementation, Samba. This chapter describes only the FreeBSD side of the setup; you'll need to follow the Microsoft documentation for setting up the Microsoft side of the network.
Samba is a collection of software components that implement the SMB protocol over TCP/IP. You can use it to interface with all current Microsoft environments. It is part of the Ports Collection, in /usr/ports/net/samba. You can get more information from Using Samba, by Jay Ts, Robert Eckstein and David Collier-Brown. At http://samba.org/ you can get even more information, including support and a mailing list.
Samba includes a number of programs, most of which we don't touch on here. The ones we look at are:
- smbd, a daemon that provides file and print services to SMB clients.
- nmbd, which provides name services for NetBIOS.
- smbpasswd, which sets up network passwords for Samba.
- Smbclient, a simple ftp-like client that is useful for accessing SMB shared files on other servers, such as Windows for Workgroups. You can also use it to allow a UNIX box to print to a printer attached to any SMB server.
- testparm, which tests the Samba configuration file, smb.conf.
- smbstatus tells you who is using the smbd daemon.
Installing the Samba software
Install Samba from the port:
# cd /usr/ports/net/samba # make install
This operation installs the Samba binaries in /usr/local/bin, the standard location for additional binaries on a BSD system, and the daemons smbd and nmbd in /usr/local/sbin. These locations are appropriate for FreeBSD, but they are not the locations that the Samba documentation recommends. It also installs the man pages in /usr/local/man, where the man program can find them. Finally, it installs a sample configuration file in /usr/local/etc/smb.conf.default. We'll look at how to configure Samba below.
There are a number of security implications for the server, since it handles sensitive data. To maintain an adequate security level,
- Ensure that the software is readable by all and writeable only by root. smbd should be executable by all. Don't make it setuid. If an individual user runs it, it runs with their permissions.
- Put server log files in a directory readable and writable only by root, since they may contain sensitive information.
- Ensure that the smbd configuration file in /usr/local/etc/smb.conf is secured so that only root can change it.
The Samba documentation recommends setting the directory readable and writeable only by root. Depending on what other configuration files you have in /etc/local/etc, this could cause problems.
smbd and nmbd: the Samba daemons
The main component of Samba is smbd, the SMB daemon. In addition, you need the Samba name daemon, nmbd, which supplies NetBIOS name services for Samba. smbd requires a configuration file, which we'll look at below, while you don't normally need one for nmbd. By default, nmbd maps DNS host names (without the domain part) to NetBIOS names, though it can perform other functions if you need them. In this chapter we'll assume the default behaviour. See the man page nmbd(8) for other possibilities.
You have two choices of how to run smbd and nmbd: you can start them at boot time from /usr/local/etc/rc.d/samba.sh, or you can let inetd start them. The Samba team recommends starting them at boot time
When you install Samba from the Ports Collection, it installs a file /usr/local/etc/rc.d/samba.sh.sample .You just need to rename it to /usr/local/etc/rc.d/samba.sh. As the name suggests, it's a shell script. You can modify it if necessary, but it's usually not necessary.
The man page for smbd gives a number of parameters to specify the configuration file and the log file. As long as you stick to the specified file names, you shouldn't need to change anything: by default, smbd looks for the configuration file at /usr/local/etc/smb.conf, and this file contains the names of the other files.
Running the daemons from inetd
To run the daemons from inetd,
- Edit /etc/inetd.conf. You should find the following two lines towards the bottom of the file with a # in front. Remove the # to show the lines as they are here. If your /etc/inetd.conf doesn't contain these lines, add them.
netbios-ssn stream tcp nowait root /usr/local/sbin/smbd smbd netbios-ns dgram udp wait root /usr/local/sbin/nmbd nmbd swat stream tcp nowait/400 root /usr/local/sbin/swat swat
swat is an administration tool that we don't discuss here.
- Either reboot, or send a HUP signal to cause inetd to re-read its configuration file:
# killall -1 inetd send a SIGHUP
The configuration file
The Samba configuration file describes the services that the daemon offers. The port installs a sample configuration file in /usr/local/etc/smb.conf.default. You can use it as the basis of your own configuration file, which must be called /usr/local/etc/smb.conf: simply copy the file, and then edit it as described below.
The configuration file is divided into sections identified by a label in brackets. Most labels correspond to a service, but there are also three special labels: [global], [homes] and [printers], all of which are optional. We look at them in the following sections.