next up previous contents
Next: SAMBA 程式 Up: SAMBA Previous: SAMBA 架設   Contents

安全機制

  1. 查詢 smbd ports
    [root@kvm8 ~]# netstat -tlunp | grep smb
    tcp     0     0     :::139       :::*      LISTEN      1727/smbd           
    tcp     0     0     :::445       :::*      LISTEN      1727/smbd
    

  2. 防火牆設定
    [root@kvm8 ~]# vim /etc/sysconfig/iptables
    ######################################################
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
    ######################################################
    

  3. 防火牆重新啟動
    [root@kvm8 ~]# /etc/init.d/iptables restart
    

  4. 開機啟動防火牆
    [root@kvm8 ~]# chkconfig iptables on
    

  5. 查詢 samba 相關的 selinux types
    [root@kvm8 ~]# seinfo -t | grep samba
       samba_secrets_t
       samba_unconfined_script_exec_t
       samba_net_t
       samba_var_t
       samba_net_exec_t
       samba_net_tmp_t
       samba_unconfined_net_t
       samba_unconfined_script_t
       sambagui_exec_t
       samba_share_t
       samba_initrc_exec_t
       sambagui_t
       samba_etc_t
       samba_log_t
    

  6. 設定分享目錄的 selinux type
    [root@kvm8 ~]# chcon -R -t samba_share_t /public
    [root@kvm8 ~]# ls -ldZ /public
    drwxr-xr-x. root root unconfined_u:object_r:samba_share_t:s0 /public
    

  7. selinux boolean 值
    [root@kvm8 ~]# getsebool -a | grep smb
    allow_smbd_anon_write --> off
    [root@kvm8 ~]# getsebool -a | grep samba
    samba_create_home_dirs --> off
    samba_domain_controller --> off
    samba_enable_home_dirs --> off
    samba_export_all_ro --> off
    samba_export_all_rw --> off
    samba_run_unconfined --> off
    samba_share_fusefs --> off
    samba_share_nfs --> off
    use_samba_home_dirs --> off
    virt_use_samba --> off
    

  8. 設定 selinux boolean
    [root@kvm8 ~]# setsebool -P samba_export_all_ro on
    



2018-03-16