Lab 5 Network File Sharing Services
Goal: Share file or printer resources with FTP, NFS and Samba
Sequence 1: Implementing File Transport Protocol(FTP) Services
Deliverable: A working FTP server accessible to hosts and users. An available, but "invisible" upload directory via FTP.
Instructions:
1. Inventory your system and install packages as necessary. Enable the service at system boot.
The following package(s) are required: vsftpd. Check and install if necessary. Please see the Appendix for help on installing software. Use chkconfig to enable this service.
a. # yum -y install vsftpd
b. # chkconfig vsftpd on
2. Consider and document which access controls are applicable to your service implementation to meet the specified requirements.
| Access Control | Implementation |
| Application | /etc/vsftpd/vsftpd.conf |
| PAM | /etc/pam.d/vsftpd |
| xinetd | N/A |
| tcp_wrappers | linked, use service name vsftpd |
| SELinux | ensure correct file contexts; change one boolean |
| Netfilter, IPv6 | disregard IPv6 access for now |
| Netfilter | tcp and udp port 21, and ip_conntrack_ftp.ko |
Check which ports are commonly used for your service:
grep 'ftp' /etc/services
Check whether vsftpd is linked, or controlled by another utility that is linked with libwrap.so.
ldd $(which vsftpd) | grep libwrap
strings $(which vsftpd) | grep hosts
Application Specific Security
Inspect configuration files used by your service to see the default access control options. A recommended file to begin your inspection is the initialization script called at system boot.
Compare these defaults to the stated requirements.
SELinux
Determine that vsftpd is an SELinux-targeted service by checking the policy file:
semanage fcontext -l | grep ftp
You can check for SELinux booleans by running:
getsebool -a | grep ftp
To permit "Anonymous Upload":
setsebool -P allow_ftpd_full_access on
If you're unsure about the purpose of these settings, try following up with man pages:
man -k ftp | grep selinux
If the above command fails to indicate a man page, but instead displays an error message with the string "updatedb", then you must run makewhatis &. Please retry the man command as listed above.
3. The vsftpd package provides /var/ftp/ for downloads of files by the anonymous FTP user. It does not set up an upload directory. Configure vsftpd to permit uploads by anonymous users. Prepare a directory named /var/ftp/incoming/ for incoming files. Make the group ownership ftp, and make the permissions 730. Verify the permissions on the new directory.
Also ensure that IP network traffic may pass through the Netfilter rules.
a. Edit the file /etc/sysconfig/iptables-config to automatically insert the Netfilter ftp specific module, and insert a Netfilter rule to permit access to vsftpd. Note: an option may already exist for Netfilter, as in the example listed below.
/etc/sysconfig/iptables-config
IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp"
# iptables -I INPUT 1 -s 192.168.0.0/24 -p tcp --dport 21 -j ACCEPT
# iptables -I INPUT 1 -s 192.168.0.0/24 -p udp --dport 21 -j ACCEPT
b. # cd /var/ftp
c. # mkdir incoming
d. # chown root:ftp incoming
e. # chmod 730 incoming
f. # ls -ld /var/ftp/incoming
4. In /etc/vsftpd/vsftpd.conf, enable anonymous uploads, enable chown uploads and set the chown username to daemon, and set the anonymous umask to 077. Ensure anonymous users are enabled.
Restart vsftpd.
a. Set the following lines in /etc/vsftpd/vsftpd.conf (most of them should be commented in the file). In addition, anonymous_enable=YES should be set already by default.
anon_upload_enable=YES
chown_uploads=YES
chown_username=daemon
anon_umask=077
b. # service vsftpd restart
5. The result of these changes should be that the anonymous FTP user is able to upload files to /var/ftp/incoming, but cannot download files from that directory or list files in it. This is to stop "warez" traders from using our upload directory as a "drop box" for stolen software or data. Upload a file as the anonymous FTP user. It should end up in /var/
ftp/incoming, owned by user daemon and group ftp, with permissions 600 (readwrite by user daemon only).
6. If you want to access the FTP service from a remote machine, remember that vsftpd uses tcp_wrappers.
a. Add a line like this to /etc/hosts.allow to allow connection from the local subnet:
vsftpd: 192.168.0.
Sequence 2: Implementing Network File Sharing(NFS) Services
Deliverable: A working NFS share of the /home/nfstest/ directory
Instructions:
1. Inventory your system and install packages as necessary. Enable the service at system boot.
The following package(s) are required: nfs-utils. Check and install if necessary. The nfs-utils package provides the nfs and nfslock services. See the Appendix for help on installing software. Use chkconfig to enable this service.
a. # yum -y install nfs-utils
b. # chkconfig nfs on
c. # chkconfig nfslock on
2. Consider and document which access controls are applicable to your service implementation to meet the specified requirements.
| Access Control | Implementation |
| Application | /etc/exports |
| PAM | N/A |
| xinetd | N/A |
| tcp_wrappers | /sbin/portmap is compiled with linkwrap.a |
| SELinux | ensure correct file contexts; no change to booleans |
| Netfilter, IPv6 | disregard IPv6 access for now |
| Netfilter | tcp and udp ports 111 and 2049 are constant; set other port |
Check which ports are commonly used for your service:
grep -E 'portmap|nfs' /etc/services
Check whether NFS programs are linked, or controlled by another utility that is linked with libwrap.so. In this case, it is /sbin/portmap that must be carefully configured with tcp_wrappers.
strings $(which portmap) | grep hosts
Application Specific Security
Inspect configuration files used by your service to see the default access control options. A recommended file to begin your inspection is the initialization script called at system boot.
Compare these defaults to the stated requirements.
SELinux
Determine that NFS, or portmap is an SELinux-targeted service by checking the policy file:
semanage fcontext -l | grep -E 'nfs|portm'
You can check for SELinux booleans by running:
getsebool -a | grep -E 'nfs|portm'
If you're unsure about the purpose of these settings, try following up with man pages:
man -k nfs | grep selinux
If the above command fails to indicate a man page, but instead displays an error message with the string "updatedb", then you must run makewhatis &. Please retry the man command as listed above.
3. In the following steps, you will create a user and configure NFS to share the user's home directory to example.com read-write. Before configuring the NFS server, observe the RPC services you are now running.
a. # rpcinfo -p
b. # showmount -e localhost
4. Ensure Netfilter rules permit access to portmap and your NFS service.
Edit the file /etc/sysconfig/nfs to specify ports to be used by the NFS service, and insert Netfilter rules to permit access to portmap and your NFS service port assignments.
a. /etc/sysconfig/nfs
MOUNTD_PORT="4002"
STATD_PORT="4003"
LOCKD_TCPPORT="4004"
LOCKD_UDPPORT="4004"
b. # iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 111 -j ACCEPT
c. # iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 111 -j ACCEPT
d. # iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 4002 -j ACCEPT
e. # iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 4002 -j ACCEPT
f. # iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 4003 -j ACCEPT
g. # iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 4003 -j ACCEPT
h. # iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 4004 -j ACCEPT
i. # iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 4004 -j ACCEPT
j. # iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 2049 -j ACCEPT
k. # iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 2049 -j ACCEPT
l. # service iptables save; restorecon -R /etc/sysconfig
5. Create a test user named nfstest.
a. # useradd nfstest
6. Edit /etc/exports such that /home/nfstest is shared to example.com. See the man page for exports if you are unsure about the appropriate format for entries.
a. /etc/exports should have a line such as this:
/home/nfstest *.example.com(rw,sync)
7. Installation of the NFS server packages configures NFS to start in runlevels 2 through 5, however, as /etc/exports was empty at boot, the nfs and nfslock were not started. Start them now.
Installation of the NFS server packages configures NFS to start in runlevels 2 through 5, however, as /etc/exports was empty at boot, the nfs and nfslock were not started. Start them now.
a. # service nfs start
b. # service nfslock start
8. Observe which RPC services are running now and see if you are exporting /home/nfstest.
a. # rpcinfo -p
b. # showmount -e localhost
9. NFS also uses tcp_wrappers. Allow access to the required services to one of your neighbors or to the 192.168.0.0/24 subnet.
a. Add an entry such as this to the /etc/hosts.allow file:
portmap, mountd: 192.168.0.
10. Work with one or two partners, taking turns mounting each other's shares. Try reading the contents of the share and writing to it as both root and as nfstest (modify the nfstest user's UID and GID to match your partner's nfstest user if they are not the same.) What happens? Why?
a. # mkdir /home/remote
b. # mount stationY:/home/nfstest /home/remote
c. If the nfstest user's UID and GID match that of your partner(s), you should have permission to read/write to the NFS share. If not, you will not be able to access the directory. root should not have access to the NFS share, because of the default option root_squash.
Sequence 3: Implementing a Samba(SMB/CIFS) Server
Deliverable: A working Samba server accessible to several users with smbclient.
Instructions:
1. Inventory your system and install packages as necessary.
Enable the service at system boot.
The following package is required: samba. Check and install if necessary. Please see the Appendix for help on installing software. Use chkconfig to enable this service.
a. # yum -y install samba
b. # chkconfig smb on
2. Consider and document which access controls are applicable to your service implementation to meet the specified requirements.
Complete the access control matrix to be used as an aid while configuring the service:
| Access Control | Implementation |
| Application | /etc/samba/smb.conf |
| PAM | N/A |
| xinetd | N/A |
| tcp_wrappers | N/A |
| SELinux | ensure correct file contexts; change to one boolean |
| Netfilter, IPv6 | disregard IPv6 access for now |
| Netfilter | tcp and udp ports 137,138 and 139, tcp port 445 |
Check which ports are commonly used for your service:
grep -E 'netbio|microsoft-ds' /etc/services
Application Specific Security
Inspect configuration files used by your service to see the default access control options. A recommended file to begin your inspection is the initialization script called at system boot.
Compare these defaults to the stated requirements.
SELinux
Determine that Samba is an SELinux-targeted service by checking the policy file:
semanage fcontext -l | grep sam
You can check for SELinux booleans by running:
getsebool -a | grep sam
To permit access to user home directories:
setsebool -P samba_enable_home_dirs on
If you're unsure about the purpose of these settings, try following up with man pages:
man -k sam | grep selinux
If the above command fails to indicate a man page, but instead displays an error message with the string "updatedb", then you must run makewhatis &. Please retry the man command as listed above.
3. Insert Netfilter rules to permit access to your Samba service port assignments.
a. # iptables -I INPUT 1 -s 192.168.0.0/24 -p tcp --dport 137 -j ACCEPT
b. # iptables -I INPUT 1 -s 192.168.0.0/24 -p udp --dport 137 -j ACCEPT
c. # iptables -I INPUT 1 -s 192.168.0.0/24 -p tcp --dport 138 -j ACCEPT
d. # iptables -I INPUT 1 -s 192.168.0.0/24 -p udp --dport 138 -j ACCEPT
e. # iptables -I INPUT 1 -s 192.168.0.0/24 -p tcp --dport 139 -j ACCEPT
f. # iptables -I INPUT 1 -s 192.168.0.0/24 -p udp --dport 139 -j ACCEPT
g. # iptables -I INPUT 1 -s 192.168.0.0/24 -p tcp --dport 445 -j ACCEPT
h. # service iptables save; restorecon -R /etc/sysconfig
4. Create a group named legal with GID 30000, to which the users karl, joe, mary and jen belong. These users do not yet exist on your system, so you'll need add them too. Add each of these users with a nologin shell. Do not give them passwords! They are permitted access to this system only through Samba.
a. # yum -y install samba-common samba-client samba
b. # service smb start
c. # smbclient -L localhost -N
d. # groupadd -g 30000 legal
e. #
for user in karl joe mary jen
do
useradd -G legal -s /sbin/nologin $user
done
5. By default, Samba is configured to receive encrypted passwords, but no passwords have been set in /etc/samba/smbpasswd. To test your Samba server, you must run smbpasswd for each user you wish to grant access to your server. Add the users from the previous step, root, and another user of your choosing (e.g., student).
a. Run the following command, and enter a password for each user when prompted.
# for user in karl joe mary jen root student
do
echo Adding $user to the smbpasswd file...
smbpasswd -a $user
done
6. Notice the first share defined in /etc/samba/smb.conf, [homes], has no path specified. This share is configured to share a user's home directory if they connect and authenticate. Explore one or two of the user's home directory shares. Upload a file to the joe user's home share.
a. # smbclient //stationX/joe -U joe
Password:
smb> put /etc/hosts hosts
smb> exit
#
Sequence 4: Providing access to a group directory
Scenario: It turns out that in addition to having their own private shares on the server, our four users are part of the same department and require a place to store their departmental files. We will need to set up a Linux group for the users, create a directory for the users to store their content, and configure the Samba server to share the directory.
Deliverable: A Linux directory that only the legal group can use.
A Samba share that only legal group users can access and modify.
Instructions:
1. Create the directory path /home/depts/legal. Set the ownerships and permissions on the directory such that people in the legal group can add/delete files, but others can not. Also set the SGID and Sticky permissions so that the group ownership on all files created in this directory will be set to the group owner of legal and so that one user can not remove another's files.
a. # mkdir -p /home/depts/legal
b. # chgrp legal /home/depts/legal
c. # chmod 3770 /home/depts/legal
2. Create a Samba share called [legal] in /etc/samba/smb.conf. Only the members of the legal group should have write access to the share. In addition, ensure that the files placed in the [legal] share are created with permissions 0660.
a. In the /etc/samba/smb.conf file, place the following after the Share Definitions section (you can simply add this to to bottom of the file):
[legal]
comment = Legal's files
path = /home/depts/legal
public = no
write list = @legal
create mask = 0660
3. Restart the smb service and test users of the legal group (and users not of this group) with smbclient.
a. # service smb restart
b. # smbclient //stationX/legal -U karl
c. # smbclient //stationX/legal -U joe
d. # smbclient //stationX/legal -U mary
e. # smbclient //stationX/legal -U jen
f. # smbclient //stationX/legal -U student%student
g. # smbclient //stationX/legal -U root