{{keywords>mybook world bug security linux public login boot right permission access user administrator everyone share perl script samba configuration network service ssh}}
====== Secure PUBLIC folder ======
**BUG: Security settings for PUBLIC folder reset with every reboot**
\\
This fix tries to solve this PUBLIC folder security issue: all files and folders existing inside this folder are accessible (read/write) to anyone in the network without asking to login. Thus, anyone may read/create/update/save/delete any file in this folder even if he/she does not have any rights to access the WDMB machine.
===== SYMPTOMS =====
Trying to secure the WDMB machine, the sharing permissions must be updated not to allow anyone access. By default the PUBLIC folder will allow unrestricted access. After at least one user is created, it would be nice to restrict file access only to registered users. To do that, the administrator should remove "Everyone" permissions from the PUBLIC folder. This will ask the users to login when they try to access the folder.
* Login to the web administration interface
* Access **File Sharing** tab
* Press **Update Security Settings**
* Pick **PUBLIC** share to change and then press Next
* Set **Everyone** permissions to **None**
* Access the PUBLIC from the client machine using \\DEVICE_NAME\PUBLIC (where DEVICE_NAME may by the IP or the NAME of your MYBOOK)
The user is asked to login before accessing the data.
* Restart the device (by pressing the restart button or executing //reboot// command in shell)
* Access the PUBLIC from the client machine using \\DEVICE_NAME\PUBLIC
The user is allowed to access any file without the login prompt
**Update** 04-05-2008:\\ The BUG was fixed in newer [[firmware|firmware]] versions greater than 02.00.00
===== CAUSE =====
The boot process executes a series of scripts that will override the administrator settings:
* All SNN scripts in **/etc/init.d/** folder are called at the boot (where NN is a number)
* The script **S27shares-cleanup** calls **/usr/www/lib/removeExternalShares.pl** to remove any not existing external shares (ex: USB drives)
/usr/local/bin/perl -I /usr/www/lib /usr/www/lib/removeExternalShares.pl
* This contains calls to a Perl class used to handle samba configuration changes
use Service::Shares;
Service::Shares->deleteAllExternal();
* The class file **/usr/www/lib/Service/Shares.pm** defines the method **createDefault()**
sub createDefault {
# Create the default 'Public' share
my $class=shift;
my $name=nasCommon->public_sharename;
# create a defoult share if it doesn't exist and make it writable
# Also, the data volume has to be available (mounted)
#
my $s=new Service::Storage( nasCommon->storage_volume );
if ( (! -w nasCommon->public_share) && $s->data_volume_available()) {
sudo("$nbin/mkdir.sh ".nasCommon->public_share);
sudo("$nbin/chown.sh root:www-data ".nasCommon->public_share);
sudo("$nbin/chmod.sh 775 ".nasCommon->public_share);
}
# Open or create the shares.inc file
my $smbConf = $class->open( nasCommon->shares_inc );
# First, delete existing Public share, just in case
$smbConf->DeleteSection( $name );
# Create the new share
$smbConf->AddSection( $name );
# Get the list of all users
my $users=$class->findAllUsers();
# Set up its parameters
$smbConf->newval( $name, 'path', nasCommon->public_share );
$smbConf->newval( $name, 'force user', nasCommon->share_guest );
# $smbConf->newval( $name, 'guest only', 'Yes');
# $smbConf->newval( $name, 'writeable', 'Yes');
# $smbConf->newval( $name, 'guest ok', 'Yes' );
$smbConf->newval( $name, 'valid users', join(' ',nasCommon->share_guest,keys( %{$users})));
$smbConf->newval( $name, 'write list', join(' ',nasCommon->share_guest,keys( %{$users})));
$smbConf->newval( $name, 'guest ok', 'Yes' );;
# Write the file
$smbConf->RewriteConfig;
# Make sure the directory exists
mkdir nasCommon->public_share;
}
* The default parameter set by this method for the PUBLIC folder share are saved in **/var/oxsemi/shares.inc**
[PUBLIC]
path=/shares/internal/PUBLIC
force user=www-data
valid users=www-data user1 user2
write list=www-data user1 user2
guest ok=Yes
* At the end of the boot proccess, **/etc/init.d/S30network** is executed; that will start all network services including **samba**
* Samba server will read the configuration setting from the files located in **/var/oxsemi/**
The configuration for the PUBLIC folder translates in:
* the path of the folder is **/shares/internal/PUBLIC**
* for every new file or folder default owner is **www-data**
* allowed users to read files and folders are **www-data**, **user1** and **user2**
* allowed users to write/delete files and folders are **www-data**, **user1** and **user2**
* **allow non registered users**
===== FIX =====
This solution assumes that you've installed SSH access. A small tutorial is available at [[home|WD MyBook World Edition Hack]].
To fix this issue, we recommend changing the source code of **createDefault()** method in **/usr/www/lib/Service/Shares.pm**
* comment lines 222 to 224
* add updated previous lines
# $smbConf->newval( $name, 'valid users', join(' ',nasCommon->share_guest,keys( %{$users})));
# $smbConf->newval( $name, 'write list', join(' ',nasCommon->share_guest,keys( %{$users})));
# $smbConf->newval( $name, 'guest ok', 'Yes' );;
$smbConf->newval( $name, 'valid users', join(' ',keys( %{$users})));
$smbConf->newval( $name, 'write list', join(' ',keys( %{$users})));
The final body of the method is:
sub createDefault {
# Create the default 'Public' share
my $class=shift;
my $name=nasCommon->public_sharename;
# create a defoult share if it doesn't exist and make it writable
# Also, the data volume has to be available (mounted)
#
my $s=new Service::Storage( nasCommon->storage_volume );
if ( (! -w nasCommon->public_share) && $s->data_volume_available()) {
sudo("$nbin/mkdir.sh ".nasCommon->public_share);
sudo("$nbin/chown.sh root:www-data ".nasCommon->public_share);
sudo("$nbin/chmod.sh 775 ".nasCommon->public_share);
}
# Open or create the shares.inc file
my $smbConf = $class->open( nasCommon->shares_inc );
# First, delete existing Public share, just in case
$smbConf->DeleteSection( $name );
# Create the new share
$smbConf->AddSection( $name );
# Get the list of all users
my $users=$class->findAllUsers();
# Set up its parameters
$smbConf->newval( $name, 'path', nasCommon->public_share );
$smbConf->newval( $name, 'force user', nasCommon->share_guest );
# $smbConf->newval( $name, 'guest only', 'Yes');
# $smbConf->newval( $name, 'writeable', 'Yes');
# $smbConf->newval( $name, 'guest ok', 'Yes' );
# $smbConf->newval( $name, 'valid users', join(' ',nasCommon->share_guest,keys( %{$users})));
# $smbConf->newval( $name, 'write list', join(' ',nasCommon->share_guest,keys( %{$users})));
# $smbConf->newval( $name, 'guest ok', 'Yes' );;
$smbConf->newval( $name, 'valid users', join(' ',keys( %{$users})));
$smbConf->newval( $name, 'write list', join(' ',keys( %{$users})));
# Write the file
$smbConf->RewriteConfig;
# Make sure the directory exists
mkdir nasCommon->public_share;
}
===== RESULTS =====
Security settings for the **PUBLIC** folder will reset to a more secure state (compared to the default one) with every reboot.
Now, all users are asked to login first before accessing any file in the folder. The resulted samba configuration file **/var/oxsemi/shares.inc** is
[PUBLIC]
path=/shares/internal/PUBLIC
force user=www-data
valid users=user1 user2
write list=user1 user2