Print Email PDF

SMB Host Restrictions

SMB host restrictions provide finer control over access to an SMB share based on client IP address range. Different address ranges may be granted full, read-only, or no access, depending on the needs of your deployment. Host permissions interact with user/group share permissions and file permissions on a "least privilege" basis, which means that in order for a privilege to be granted for a particular file, the file permissions, share user permissions, and share host permissions must all permit it.

As with the other types of permissions, host permissions are applied in the order they are written, from top to bottom. For example, if a given host is denied a privilege at the beginning of a list, and then a later entry in the list allows that host that privilege, the right will not be granted.

It is also possible to configure the cluster so that shares which are not accessible to the client will not be shown when shares are enumerated.

Create a new SMB share with host restrictions

When a share is created using qq smb_add_share, the following options control the initial host permissions for the share:

  • --full-control-hosts RANGE [RANGE ...]: Address ranges which should be permitted all access that is also granted by share permissions and file
    permissions. May be individual IP addresses, CIDR masks (e.g. 10.1.2.0/24), or ranges (e.g. 10.2.3.23-47, fd00::42:1fff-c000). To include all hosts, use "*" (including quotes).
  • --read-only-hosts RANGE [RANGE ...]: Address ranges which should be permitted read-only access at most.
  • --deny-hosts RANGE [RANGE ...]: Address ranges which should be denied access to this share, regardless of other permissions.
  • --deny-all-hosts: Deny all access to this share.

NOTE: The --deny-hosts option has precedence over --read-only-hosts, which has precedence over --full-control-hosts.

If no host permission arguments are given, the default is for the share to allow all hosts full control. If host permissions are given, the default for a host that is not specified is to deny access. Multiple addresses and/or ranges may be specified per argument, and should be separated by spaces.

The following code shows the format for the command itself as well as an example of how to create a share that grants hosts 10.1.1.42 and 10.1.2.84 full control, all hosts in 10.100.0.0/16 read-only access, and denies access to all other hosts:

qq smb_add_share --fs-path PATH --name NAME --all-access --full-control-hosts RANGE --read-only-hosts RANGE

EXAMPLE:
$ qq smb_add_share --fs-path / --name share --all-access --full-control-hosts 10.1.1.42 10.1.2.84 --read-only-hosts 10.100.0.0/16
ID: 3
Name: share
Path: /
Description:
Access Based Enumeration: False
Encryption Required: False
Default File Create Mode: 0644
Default Directory Create Mode: 0755

Permissions:
ID Trustee Type Rights
== ======== ======= ===============================
1 Everyone Allowed Read, Write, Change permissions

Network Permissions:
ID Trustee Type Rights
== ==================== ======= ===============================
1 10.100.0.0/16 Denied Write, Change permissions
2 10.100.0.0/16 Allowed Read
3 10.1.1.42, 10.1.2.84 Allowed Read, Write, Change permissions

View existing SMB share host restrictions

You can view the permissions for an existing share with the qq smb_list_share --id ID command:

$ qq smb_list_share --id 4
ID: 4
Name: share2
Path: /
Description:
Access Based Enumeration: False
Encryption Required: False
Default File Create Mode: 0644
Default Directory Create Mode: 0755

Permissions:
ID Trustee Type Rights
== ======== ======= ===============================
1 Everyone Allowed Read, Write, Change permissions

Network Permissions:
ID Trustee Type Rights
== ============= ======= ===============================
1 10.100.0.0/16 Allowed Read, Write, Change permissions

Modify Host Restrictions on an existing SMB share

You can add or modify host restrictions for an existing share using qq smb_mod_share, which takes the same arguments as smb_add_share above. If none of the network permissions arguments are given when modifying a share, the share’s network permissions will not be modified. When network permissions are given, the permissions specified replace whatever was previously set on the share.

The code below shows the full command format and an example.

qq smb_mod_share --id ID --full-control-hosts RANGE

EXAMPLE:

$ qq smb_mod_share --id 4 --full-control-hosts 10.100.0.0/16 192.168.1.0/24
ID: 4
Name: share2
Path: /
Description:
Access Based Enumeration: False
Encryption Required: False
Default File Create Mode: 0644
Default Directory Create Mode: 0755

Permissions:
ID Trustee Type Rights
== ======== ======= ===============================
1 Everyone Allowed Read, Write, Change permissions

Network Permissions:
ID Trustee Type Rights
== ============================= ======= ===============================
1 10.100.0.0/16, 192.168.1.0/24 Allowed Read, Write, Change permissions

NOTE: If you are adding restrictions to a share that has pre-existing restrictions, you have to specify the ones you wish to retain as well as the new ones.

Hide an SMB share from unauthorized hosts

In order to hide shares from hosts that are not authorized for access, run the following command:

$ qq smb_modify_settings --hide-shares-from-unauthorized-hosts true

Remove all host restrictions from an SMB share

To remove all restrictions placed on an existing share, run the following command:

$ qq smb_mod_share --id=<Share ID> --full-control=”*”

RESOLUTION

You should now be able to use SMB host restrictions

ADDITIONAL RESOURCES

SMB Share Permissions

Hide an SMB Share

QQ CLI: SMB Shares

 

Like what you see? Share this article with your network!

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.

Have more questions?
Open a Case
Share it, if you like it.