IN THIS ARTICLE
Describes how to use SMB host restrictions to limit access to an SMB share based on client IP address range
REQUIREMENTS
- Cluster running Qumulo Core 2.14.3 or above
- Admin privileges for the cluster
DETAILS
SMB host restrictions provide finer control over access to an SMB share based on client IP address range. Different address ranges may be granted full, read-only, or no access, depending on the needs of your deployment. Host permissions interact with user/group share permissions and file permissions on a "least privilege" basis, which means that in order for a privilege to be granted for a particular file, the file permissions, share user permissions, and share host permissions must all permit it.
As with the other types of permissions, host permissions are applied in the order they are written, from top to bottom. For example, if a given host is denied a privilege at the beginning of a list, and then a later entry in the list allows that host that privilege, the right will not be granted.
It is also possible to configure the cluster so that shares which are not accessible to the client will not be shown when shares are enumerated.
Create a new SMB share with host restrictions
When a share is created using qq smb_add_share, the following options control the initial host permissions for the share:
- --full-control-hosts RANGE [RANGE ...]: Address ranges which should be permitted all access that is also granted by share permissions and file
permissions. May be individual IP addresses, CIDR masks (e.g. 10.1.2.0/24), or ranges (e.g. 10.2.3.23-47, fd00::42:1fff-c000). To include all hosts, use "*" (including quotes). - --read-only-hosts RANGE [RANGE ...]: Address ranges which should be permitted read-only access at most.
- --deny-hosts RANGE [RANGE ...]: Address ranges which should be denied access to this share, regardless of other permissions.
- --deny-all-hosts: Deny all access to this share.
NOTE: The --deny-hosts option has precedence over --read-only-hosts, which has precedence over --full-control-hosts.
If no host permission arguments are given, the default is for the share to allow all hosts full control. If host permissions are given, the default for a host that is not specified is to deny access. Multiple addresses and/or ranges may be specified per argument, and should be separated by spaces.
The following code shows the format for the command itself as well as an example of how to create a share that grants hosts 10.1.1.42 and 10.1.2.84 full control, all hosts in 10.100.0.0/16 read-only access, and denies access to all other hosts:
qq smb_add_share --fs-path PATH --name NAME --all-access --full-control-hosts RANGE --read-only-hosts RANGE
EXAMPLE:
$ qq smb_add_share --fs-path / --name share --all-access --full-control-hosts 10.1.1.42 10.1.2.84 --read-only-hosts 10.100.0.0/16
ID: 3
Name: share
Path: /
Description:
Access Based Enumeration: False
Encryption Required: False
Default File Create Mode: 0644
Default Directory Create Mode: 0755
Permissions:
ID Trustee Type Rights
== ======== ======= ===============================
1 Everyone Allowed Read, Write, Change permissions
Network Permissions:
ID Trustee Type Rights
== ==================== ======= ===============================
1 10.100.0.0/16 Denied Write, Change permissions
2 10.100.0.0/16 Allowed Read
3 10.1.1.42, 10.1.2.84 Allowed Read, Write, Change permissions
View existing SMB share host restrictions
You can view the permissions for an existing share with the qq smb_list_share --id ID command:
$ qq smb_list_share --id 4
ID: 4
Name: share2
Path: /
Description:
Access Based Enumeration: False
Encryption Required: False
Default File Create Mode: 0644
Default Directory Create Mode: 0755
Permissions:
ID Trustee Type Rights
== ======== ======= ===============================
1 Everyone Allowed Read, Write, Change permissions
Network Permissions:
ID Trustee Type Rights
== ============= ======= ===============================
1 10.100.0.0/16 Allowed Read, Write, Change permissions
Modify Host Restrictions on an existing SMB share
You can add or modify host restrictions for an existing share using qq smb_mod_share, which takes the same arguments as smb_add_share above. If none of the network permissions arguments are given when modifying a share, the share’s network permissions will not be modified. When network permissions are given, the permissions specified replace whatever was previously set on the share.
The code below shows the full command format and an example.
qq smb_mod_share --id ID --full-control-hosts RANGE
EXAMPLE:
$ qq smb_mod_share --id 4 --full-control-hosts 10.100.0.0/16 192.168.1.0/24
ID: 4
Name: share2
Path: /
Description:
Access Based Enumeration: False
Encryption Required: False
Default File Create Mode: 0644
Default Directory Create Mode: 0755
Permissions:
ID Trustee Type Rights
== ======== ======= ===============================
1 Everyone Allowed Read, Write, Change permissions
Network Permissions:
ID Trustee Type Rights
== ============================= ======= ===============================
1 10.100.0.0/16, 192.168.1.0/24 Allowed Read, Write, Change permissions
NOTE: If you are adding restrictions to a share that has pre-existing restrictions, you have to specify the ones you wish to retain as well as the new ones.
Hide an SMB share from unauthorized hosts
In order to hide shares from hosts that are not authorized for access, run the following command:
$ qq smb_modify_settings --hide-shares-from-unauthorized-hosts true
Remove all host restrictions from an SMB share
To remove all restrictions placed on an existing share, run the following command:
$ qq smb_mod_share --id=<Share ID> --full-control=”*”
RESOLUTION
You should now be able to use SMB host restrictions
ADDITIONAL RESOURCES
Like what you see? Share this article with your network!
Comments
0 comments