Labels

new blog 2.0

2008/06/14

0x07. [LPIC-302] Security and Performance

Linux File System and Share/Service Permissions
Candidates should understand file permissions on a Linux file system in a mixed environment

From the official Samba Howto, ch. 16, we read:

Samba does not attempt to go beyond POSIX ACLs, so the various finer-grained access control options provided in Windows are actually ignored.

Note

All access to UNIX/Linux system files via Samba is controlled by the operating system file access controls. When trying to figure out file access problems, it is vitally important to find the identity of the Windows user as it is presented by Samba at the point of file access. This can best be determined from the Samba log files.

This points us to well known commands of chmod and chown. Refresh their syntax. When it comes to smb.conf file, there are two options of particular importance:
  • create mask - This option takes an octal value of four digits and sets permissions on Samba-newly-created files accordingly. It can be used in all sections. It's default value is 0744
  • directory mask - does the same for directories what create mask does for files.

Samba Security
Candidates should be able to secure Samba at both the firewall level, and the Samba daemons themselves

The first move that we take towards Samba security can be hosts allow/hosts deny directives for smb.conf.
hosts allow = 127.0.0.1 192.168.1.0/24
hosts deny = 0.0.0.0/0
The configuration above allows you to access Samba server only from localhost and it's local network.

Similarly, we can go about narrowing down users that are allowed to connect:
valid users = @group, user1, user2
On top of this, access to samba can be restricted based on the interface specified:
interfaces = eth0 ath0 lo
bind interfaces only = yes
In order to block incoming connections to Samba ports with iptables make it drop packets.
[...]

Performance Tuning
Candidates should be able to cluster services for load balancing and high availability purposes, and tune Samba settings for better server and network performance

While measuring performance two tools will be of particular interest:
  • netstat, which reports on current network connections and stats
  • smbstatus, which reports on current samba connections

Socket Options -
Of all the socket options that can be applied to smb.conf file, apperently TCP_NODELAY has the biggest impact on performance. For full reference of Socket Options consult smb.conf

Other Options to smb.conf:
  • log level - is known to cause drops in performance
  • read size - sets optimal value for
  • read raw
  • write raw
  • max xmit
  • max connections
  • max disk size
  • max mux
  • max open files
  • max print jobs (S)
  • max protocol (G)
  • max reported print jobs (S)
  • max stat cache size (G)
  • max ttl (G)
  • max wins ttl (G)

No comments: