Make ibay files executable

NethServer Version: 7.4
Module: Samba 4.4.4 AD
Need to be able to call exe files from an ibay on Windows clients…

Is this code safe to try?

"mkdir -p /etc/e-smith/templates-custom/etc/samba/smb.conf/
vi /etc/e-smith/templates-custom/etc/samba/smb.conf/11globalexecfix

Paste the smb settings and save the file:

# Allow Windows machines to execute things that don't have
# the execute bit set
`acl allow execute always = True"`

The way I read the effect of this it opens all ibays to code execution. Is it possible to restrict to an individual ibay. Tried templating but that looped the smb.conf file. Manually adjusting the file permission does allow the program to run.

Thanks

Hi Gordon! Sorry for late reply.

Your request is similar to this one from @iglqut. Maybe he can give us some advice on his experience.

An option could be to manually set the executable ACL to the desired ibay. In this example we set an ACL for the Domain Users group, on an ibay named sharedfolder:

setfacl -PR -m group:"Domain Users":x /var/lib/nethserver/ibay/sharedfolder/

Another option is to create a custom template that will add (towards the end of the smb.conf file) the execution parameter for a specific ibay:

mkdir -p /etc/e-smith/templates-custom/etc/samba/smb.conf/
vi /etc/e-smith/templates-custom/etc/samba/smb.conf/99ibay_customization

Replace sharedfolder with the ibay name:

# 99ibay_customization:
[sharedfolder]
acl allow execute always = True

Apply the changes:

signal-event nethserver-samba-update

One more option is to create a new ibay profile:
For instance, duplicating the default profile and adding the executable ACL right. In this example the new profile is named executable:

cp -r /etc/e-smith/templates/etc/samba/smb.conf/ibay-default/ /etc/e-smith/templates/etc/samba/smb.conf/ibay-executable/
vi /etc/e-smith/templates/etc/samba/smb.conf/ibay-executable/21profile_executable
# 21profile_executable:
acl allow execute always = True

Then assign the new profile to the desired ibay (replace sharedfolder with your own ibay name):

db accounts setprop sharedfolder SmbProfileType executable

Finally, apply the changes:

signal-event nethserver-samba-update

Do note what the smb.conf manual says about the acl allow execute always parameter:

I’m not an expert, so if anyone observes security implications or knows better options, please comment.

2 Likes

We are using the template method. That is working now für 6 month in our system without any troubles, because your independent from modification thru updates.