43.7. Editing Share Security Options
Once a printer or file share has been created, you can edit various security-related options that control who has access to it and to which hosts they can connect. This can be useful if some share contains files to which only certain people should have access, or if your Samba server is for use by clients only on your internal network.
To edit share security options, follow these steps:
1. | Click on the name of the share in the table to bring up its editing form on the module's main page, then click on the Security and Access Control icon. |
2. | As explained in Section 43.4 “Adding a New File Share”, the Writable? and Guest access? fields determine whether or not the share can be written to and if authentication is needed. The Guest UNIX user field sets the user as whom files are read and written by guest clients. Change them again here if you wish. |
3. | To only allow certain hosts access to this share, select the second radio button in the Hosts to allow field and enter a list of hostnames and IP addresses into the adjacent text box. Partial IPs like 192.168.1. or network addresses like 192.168.1.0/255.255.255.0 can be used to allow access to an entire network. If your system is an NIS client, you can enter a netgroup name preceded by a @ (like @servers) to allow all of the group's members. If All is selected, all hosts will be granted access, unless you fill in the next field. No matter what you enter, connections from the local host (127.0.0.1) are always allowed unless it is specifically listed in the Hosts to deny field. |
4. | To block only specific hosts from accessing this share, fill in the Hosts to deny field with a similar list of hostnames, IP addresses, networks, or netgroups. If both fields are filled in, Hosts to allow takes precedence. If None is selected, all hosts will be permitted. |
5. | To allow only certain users to access this share, fill in the Valid users field with a space-separated list of usernames. You can also fill in the Valid groups field with a list of groups whose primary and secondary members will be granted access. Only if both lists are empty will all users be allowed. |
6. | To deny specific users and members of groups, fill in the Invalid users and Invalid groups fields. If a user appears in both the valid and invalid lists, he will be denied access. |
7. | To restrict some users to read-only access for this share, enter a list of usernames into the Read only users field. You can also enter a list of UNIX groups in the Read only groups to restrict their primary members. Everyone else will have full read/write access, assuming that the share is actually writeable and that the Read/write fields have not been filled in. |
8. | To give only certain users permission to write to the share and restrict everyone else to read-only access, enter a list of usernames into the Read/write users field. As usual, the Read/write groups field can be used to enter a list of groups whose primary members will be allowed to write as well. Naturally, normal UNIX file permissions that may prevent writing to files or directories still apply to all users. If a user appears in both the Read only and Read/write lists, he will be allowed to write. The fields in this and the previous step have no effect on printer shares. Instead, all allowed users will be able to print. |
9. | When you are done editing file security options, click the Save button at the bottom of the page to activate the new settings. |
In addition to setting security options for a single share, you can set defaults for all shares that will apply unless overridden in individual shares. To do this, click on the File Share Defaults icon on the module's main page instead of the name of a share, and then on Security and Access Control. Some settings—like the lists of hosts to allow or deny—really should be set globally, as you probably want to limit access to your entire server to just a trusted network. See Section 43.12 “Editing Share Defaults” for more information on how defaults work.