Rysz Posted May 5 Share Posted May 5 (edited) It would be great if the Samba Worm VFS module could be configurable on a per-share basis through the Web GUI (as on TrueNAS). It's extremely simple to integrate into an individual share configuration and would help harden Samba shares against ransomware from Windows clients a bit, something I'm sure many users here would appreciate. It's really just an additional Samba layer that can be activated and deactivated without trace at any time, so it works cleanly and without messing with the Linux file permissions or actual files underneath. Most of the ransomware originates from Windows clients. What the Worm VFS module does (when activated) is allowing to put new files onto a read/write Samba share, but disallowing writes to those files after a certain amount of time has passed (the grace period). So you could set up a grace period of 24 hours, where you can still make changes to any new files from these last 24 hours and once that time has passed they're turned read-only on that Samba share. This could be very useful for media libraries, as an example, where later changes to the files by the user are not to be expected. It's just two lines in the share configuration: vfs objects = worm worm:grace_period = 86400 # 1 day https://wiki.samba.org/index.php/Using_the_worm_VFS_Module Edited May 5 by Rysz Quote Link to comment
vollans Posted May 6 Share Posted May 6 Definitely a vote for me - the method currently suggested of doing it via the SMB options object results in only being able to set up WORM for a single share as the text space is limited in that box, and a bit fiddly to do. Supporting the Worm VFS option would be a huge plus, as it's really the biggest feature in TrueNas that I see "must have" for me and my use case. 1 Quote Link to comment
bmartino1 Posted May 6 Share Posted May 6 this can be done my manul edit to the smb server.... you would add that at the per share at bottom of config... Quote Link to comment
vollans Posted May 6 Share Posted May 6 Which is then overwritten every time the pool stops and restarts or the server restarts. It's not resilient. I note that the /etc/samba directory is wiped every time the system is took offline, and all the files are recreated when it starts up again. A solution that involves editing those files every time you do any sort of maintenance isn't sustainable. 1 Quote Link to comment
Rysz Posted May 6 Author Share Posted May 6 15 minutes ago, bmartino1 said: this can be done my manul edit to the smb server.... you would add that at the per share at bottom of config... Thanks, but the point of this feature request is to be able to configure this on a per share basis through the GUI. 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.