From 8f8a9f01909ba29e2b781310baeeaaddc3f15f0d Mon Sep 17 00:00:00 2001 From: "Gerald W. Carter" Date: Tue, 22 Apr 2008 10:09:40 -0500 Subject: Moving docs tree to docs-xml to make room for generated docs in the release tarball. (This used to be commit 9f672c26d63955f613088489c6efbdc08b5b2d14) --- docs-xml/smbdotconf/security/rootdirectory.xml | 35 ++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 docs-xml/smbdotconf/security/rootdirectory.xml (limited to 'docs-xml/smbdotconf/security/rootdirectory.xml') diff --git a/docs-xml/smbdotconf/security/rootdirectory.xml b/docs-xml/smbdotconf/security/rootdirectory.xml new file mode 100644 index 0000000000..8736598001 --- /dev/null +++ b/docs-xml/smbdotconf/security/rootdirectory.xml @@ -0,0 +1,35 @@ + +root +root dir + + The server will chroot() (i.e. + Change its root directory) to this directory on startup. This is + not strictly necessary for secure operation. Even without it the + server will deny access to files not in one of the service entries. + It may also check for, and deny access to, soft links to other + parts of the filesystem, or attempts to use ".." in file names + to access other directories (depending on the setting of the + parameter). + + + Adding a root directory entry other + than "/" adds an extra level of security, but at a price. It + absolutely ensures that no access is given to files not in the + sub-tree specified in the root directory + option, including some files needed for + complete operation of the server. To maintain full operability + of the server you will need to mirror some system files + into the root directory tree. In particular + you will need to mirror /etc/passwd (or a + subset of it), and any binaries or configuration files needed for + printing (if required). The set of files that must be mirrored is + operating system dependent. + + +/ +/homes/smb + -- cgit