BUG: Security settings for PUBLIC folder reset with every reboot
This fix tries to solve this PUBLIC folder security issue: all files and folders existing inside this folder are accessible (read/write) to anyone in the network without asking to login. Thus, anyone may read/create/update/save/delete any file in this folder even if he/she does not have any rights to access the WDMB machine.
Trying to secure the WDMB machine, the sharing permissions must be updated not to allow anyone access. By default the PUBLIC folder will allow unrestricted access. After at least one user is created, it would be nice to restrict file access only to registered users. To do that, the administrator should remove “Everyone” permissions from the PUBLIC folder. This will ask the users to login when they try to access the folder.
The user is asked to login before accessing the data.
The user is allowed to access any file without the login prompt
<note tip>Update 04-05-2008:
The BUG was fixed in newer firmware versions greater than 02.00.00</note>
The boot process executes a series of scripts that will override the administrator settings:
/usr/local/bin/perl -I /usr/www/lib /usr/www/lib/removeExternalShares.pl
use Service::Shares; Service::Shares->deleteAllExternal();
sub createDefault { # Create the default 'Public' share my $class=shift; my $name=nasCommon->public_sharename; # create a defoult share if it doesn't exist and make it writable # Also, the data volume has to be available (mounted) # my $s=new Service::Storage( nasCommon->storage_volume ); if ( (! -w nasCommon->public_share) && $s->data_volume_available()) { sudo("$nbin/mkdir.sh ".nasCommon->public_share); sudo("$nbin/chown.sh root:www-data ".nasCommon->public_share); sudo("$nbin/chmod.sh 775 ".nasCommon->public_share); } # Open or create the shares.inc file my $smbConf = $class->open( nasCommon->shares_inc ); # First, delete existing Public share, just in case $smbConf->DeleteSection( $name ); # Create the new share $smbConf->AddSection( $name ); # Get the list of all users my $users=$class->findAllUsers(); # Set up its parameters $smbConf->newval( $name, 'path', nasCommon->public_share ); $smbConf->newval( $name, 'force user', nasCommon->share_guest ); # $smbConf->newval( $name, 'guest only', 'Yes'); # $smbConf->newval( $name, 'writeable', 'Yes'); # $smbConf->newval( $name, 'guest ok', 'Yes' ); $smbConf->newval( $name, 'valid users', join(' ',nasCommon->share_guest,keys( %{$users}))); $smbConf->newval( $name, 'write list', join(' ',nasCommon->share_guest,keys( %{$users}))); $smbConf->newval( $name, 'guest ok', 'Yes' );; # Write the file $smbConf->RewriteConfig; # Make sure the directory exists mkdir nasCommon->public_share; }
[PUBLIC] path=/shares/internal/PUBLIC force user=www-data valid users=www-data user1 user2 write list=www-data user1 user2 guest ok=Yes
The configuration for the PUBLIC folder translates in:
<note tip>This solution assumes that you've installed SSH access. A small tutorial is available at WD MyBook World Edition Hack.</note>
To fix this issue, we recommend changing the source code of createDefault() method in /usr/www/lib/Service/Shares.pm
# $smbConf->newval( $name, 'valid users', join(' ',nasCommon->share_guest,keys( %{$users}))); # $smbConf->newval( $name, 'write list', join(' ',nasCommon->share_guest,keys( %{$users}))); # $smbConf->newval( $name, 'guest ok', 'Yes' );; $smbConf->newval( $name, 'valid users', join(' ',keys( %{$users}))); $smbConf->newval( $name, 'write list', join(' ',keys( %{$users})));
The final body of the method is:
sub createDefault { # Create the default 'Public' share my $class=shift; my $name=nasCommon->public_sharename; # create a defoult share if it doesn't exist and make it writable # Also, the data volume has to be available (mounted) # my $s=new Service::Storage( nasCommon->storage_volume ); if ( (! -w nasCommon->public_share) && $s->data_volume_available()) { sudo("$nbin/mkdir.sh ".nasCommon->public_share); sudo("$nbin/chown.sh root:www-data ".nasCommon->public_share); sudo("$nbin/chmod.sh 775 ".nasCommon->public_share); } # Open or create the shares.inc file my $smbConf = $class->open( nasCommon->shares_inc ); # First, delete existing Public share, just in case $smbConf->DeleteSection( $name ); # Create the new share $smbConf->AddSection( $name ); # Get the list of all users my $users=$class->findAllUsers(); # Set up its parameters $smbConf->newval( $name, 'path', nasCommon->public_share ); $smbConf->newval( $name, 'force user', nasCommon->share_guest ); # $smbConf->newval( $name, 'guest only', 'Yes'); # $smbConf->newval( $name, 'writeable', 'Yes'); # $smbConf->newval( $name, 'guest ok', 'Yes' ); # $smbConf->newval( $name, 'valid users', join(' ',nasCommon->share_guest,keys( %{$users}))); # $smbConf->newval( $name, 'write list', join(' ',nasCommon->share_guest,keys( %{$users}))); # $smbConf->newval( $name, 'guest ok', 'Yes' );; $smbConf->newval( $name, 'valid users', join(' ',keys( %{$users}))); $smbConf->newval( $name, 'write list', join(' ',keys( %{$users}))); # Write the file $smbConf->RewriteConfig; # Make sure the directory exists mkdir nasCommon->public_share; }
Security settings for the PUBLIC folder will reset to a more secure state (compared to the default one) with every reboot. Now, all users are asked to login first before accessing any file in the folder. The resulted samba configuration file /var/oxsemi/shares.inc is
[PUBLIC] path=/shares/internal/PUBLIC force user=www-data valid users=user1 user2 write list=user1 user2