Practical Unix Security And Operating Systems Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

In this paper work we are about to present a samba server which is an interface for UNIX and the windows operating systems. From the point of view of a system administrator, the role of samba in a UNIX environment is clearly discussed in this work.

Samba started as a huge or complex project which is exciting and ambition oriented. A group of thirty different individuals from different groups came together to design the samba software.

We need samba in many cases, one of them being, a UNIX server which has large amounts of stored data and needs to be shared between windows client machines. Security features and access control lists of samba are discussed further in this paper.

Multiuser capability, multi tasking, communication, security and portability are the salient features provided by the UNIX operating system. As a multiuser capability provider UNIX offers the users to access the same computer resources like hard disk and memory. Users operate from many different terminals. It is very economical to have UNIX as we can avoid using the number of systems when compared to the users. UNIX also provides the multitasking facility where in which it allows the user to edit in its editor while executing some other commands simultaneously, in the background. This is done very efficiently by dividing the C.P.U times between all the processes.

One of the main things we can talk about is the Security provided by UNIX operating system. It has got three provisions for protecting the data. Provisions are as follows:

First provision is by giving user name and passwords to a particular user by which we can avoid unauthorised users.

Secondly the read, write and execute permissions for all the files by which we can decide the permissions to a particular file.

File encryption is also provided by the UNIX by which a file is encoded into an unreadable format.

Functioning of UNIX is done in three different levels:

Applications and tools on the outer crust.

Kernel level which is at the heart of UNIX, it interacts with the hardware.

Shell level: which is a mediator between the applications and kernel level; it conveys the commands to kernel.

Role and function of samba: -

Samba is software which provides print and file services for Microsoft windows clients. This services can be operated on any Tcp/ip (transport control protocol over internet protocol) enabled platform. The actual deployed platforms were UNIX and Linux but we can say it is in common use in variety of systems these days.

Along with the file and print capabilities samba also provides the interoperability between the operating systems.

A daemon is a process which runs in the background all the time for providing services and it is a UNIX application. We have three different types of daemons in samba which are very important.

Nmbd-it handles all the user datagram protocols and protocols based on them (UDP). This is the first command to be started as the initialization of samba process.

Smbd-it handles all the tcp/ip protocols which are connection oriented, and these connections are for safeguarding file transfers and printing. Authentication is done locally here and it has to be started immediately after the Nmdb daemon.

Winbindd-this is started if samba is a member of Windows NT.

Practical examples: -

If we carefully observe any contents of samba, any line in the smb.conf (configuration file) starts with something like "security =", is very important as it gives users the information about what kind of security feature is being provided to them.

Informing the servers about the client's authentication process can be explained through the security features. We know the authentications from many different sources. If we use the active directory we can authenticate at a local level as a part of the domain. Authentication is generally designed or given by the IT department; here samba needs to know the way this authentication is happening as there are many different types of authentication.

Security features supported by Samba:

There are five different types of security features provided by Samba.






Different features in detail:

User: - here samba just looks for the username and password of the client. Once it accepts the user name and password then it mounts the shares on the server. This is a very simple working mode. (Security = user)

Share: - (security =s hare) here in the samba server the client will authenticate itself. Authentication is done against a share by the client, which means it only has access to that share. While using this mode a password is sent by the client along with the every share request. If the password is gone through then the client will access or else a denial is encountered by the client in accessing the share. Initially the client sends a session for the request which includes an applicable username. Then the samba records the username, later a connection request is issued by the client to share the client. Lastly the password is checked against the username, and if it matches then access is provided or else not.

Domain: (security = domain) it gives a chance for storing all the usernames and passwords in a centralized location which can be called as shared account.

All the controllers of domain share this account. A second parameter is needed while using this feature in samba. "Workgroup = domain_name" is how it looks in the configuration and this is the second parameter required in the domain.

ADS: (security = ADS) this is a active directory mode. This mode is possible only if the active directory is running in a native mode. Samba needs Kerberos when running in the ADS mode, which means our samba server should be installed with the Kerberos system.

Samba conf is included with realm= your.kerberos.realm.

Server: (security = server) this is the last feature provided by the samba. It sends the username and password to another machine. If the other machine is not working then obviously the authentication will be lost and it is not desired, so this method is not being use much these days. This is a very serious security issue as it poses many problems.

Implementing the ACLs on samba server:

The owner, group and all other users associated to a file have different permissions to the files and directories in a system. These permissions are limited and so on the need for access control lists has emerged.

Utilities like adding, removing and retrieving the information are provided by the ACLs. The configuration of ACLs can be set in four different ways such as per group, per user, through the effective masking and to the users who are not in the user group.

There are 5 different things which have to be kept in mind for the windows Acls to work with the samba servers.

Support from the kernel.

Support from the file system

Installing the support libraries

Mounting a file system along with the support of ACLs.

Compiling and linking of samba with the support of ACLs.

UNIX permission table: if we type in the command for long listing (ls) in UNIX we will get the table in which we will find something like "dlrwxrwxrwx", which gives us the type and user, group and others permissions.

The permissions are as follows:

Type users group others

dl r w x r w x r w x

Can Execute, List files

Can Write, Create files

Can Read, Read files

Can Execute, List files

Can Write, Create files

Can Read, Read files

Can Execute, List files

Can Write, Create files

Can Read, Read files

Is a symbolic link

Is a directory

In the above figure if any of the bit is set to "-", that means it is unset or cannot be used.

Read, write and execute are denoted by r, w and x respectively. These bits set permission for owner of the file, group which it belongs and the other users of the file.

Simple message block protocol and access control:

Invalid users = root x y ; here this option gives us a chance to not to give an access to particular users, in this case x and y are rejected the access to the share.

Valid users = w x y z ; here the users are given permissions to access the share. Here w, x, y and z are the valid users and they get the permission to access the share.

Host allow = ip address dns name; here a list of computers with the ip addresses and proper domain names are allowed to access the share.

Host deny = I.P address 1 I.P address 2 ; here the given I.P addresses are denied the access.

We will get a prompt for password once we enter smbclient //bigserver/tmp. The password used when creating the account should be typed then, and we get a smb> prompt. If we don't get the smb prompt there must be as error and this is because of the incorrect setup of the file tmp. There are few more cases possible if we get a bad password error. They are:

We might have shadow passwords without compiling them in the smbd.

User configuration might be incorrect.

Setting the level for password may be wrongly chosen.

Incorrect path line in the configuration file will also lead to errors.

Mapping of unix to samba server is very important, though the password encryption is enabled it will not have any effect if mapping of unix to samba is improper.

Testgroup is the working group for samba and widows common working environment. The command nmblookup -M testgroup can be used to get the internet protocol address of the master browser, if we do not get the ip address back then it means improper setting up of configuration file. We have to make sure that the network options are correctly selected. The whole process is called as election process and the choice for preferred master should be chosen as yes to make sure the election process is initiated.

Security Auditing:

We all know that unix and Microsoft windows NT are having different models for presenting users and groups and their information. They both use different technologies for implementation process. Using the samba helps us in creating a identical naming of user for the two different environments, here in our case unix and windows NT.

Here the problem is providing two different sets of passwords. For unix machines we need to obtain the windows NT user information, authenticate them and password should be changed. The solution is winbind system which provides a solution for logon problems. It helps the system administrator to rely on the authentication process, which runs on the Windows NT for authentication of the domain members.

There are also different levels in password encryption selection, if we chose a higher level the system will run very slow because of the high authentication process.

Synchronisation of password:


Encrypt passwords = yes

Smb passwd file = /usr/local/samba/private/smbpasswd

UNIX password sync = yes

If the above options are enabled then the samba software will try and change the user's original password (as in root) when the encryption used is changed with the smb passwd.

Conclusion: -

Providing security in an organisation is very much important. Software's like samba always increase the ability of the operating systems to run successfully. There are few problems even with the samba which need to be sorted, as the new inventions and new coding comes into effect, so does the new problems in the field.

All the updates and advisories must be thoroughly taken for samba to run effectively. Also it is very important to edit and maintain the configurations of samba. Host based, user based protections are few additional measures for improving security.