Re: Samba Permissions

From: Elvis (elvislives_at_gmx.net)
Date: 11/11/04

  • Next message: Satish Balay: "Re: Looking for pine for FC3" 
    Date: Thu, 11 Nov 2004 17:37:58 +0000
To: Stormblaze <stormblaze@gmail.com>, For users of Fedora Core releases <fedora-list@redhat.com>

    Stormblaze wrote:
    > On Thu, 11 Nov 2004 16:07:06 +0000, Elvis <elvislives@gmx.net> wrote:
    >
    >>Stormblaze wrote:
    >>
    >>
    >>
    >>>On Thu, 11 Nov 2004 16:12:12 +0100, shrek-m@gmx.de <shrek-m@gmx.de> wrote:
    >>>
    >>>
    >>>>Stormblaze wrote:
    >>>>
    >>>>
    >>>>
    >>>>
    >>>>
    >>>>>Ok, Samba is up and running. I can see the share I set up. However, I
    >>>>>can not write to it. What I'd like to have is for the default to be
    >>>>>read only and allow only certain users to write to it. So I set the
    >>>>>read only property to yes then I supplied users for write and admin
    >>>>>previledges. I log into my XP box as administrator and map to the
    >>>>>share but I still can't write to it.
    >>>>>
    >>>>>I tried turning the read only setting off and still could not write to
    >>>>>it. Any help? Here's my current smb.conf.
    >>>>>
    >>>>># Samba config file created using SWAT
    >>>>># from 127.0.0.1 (127.0.0.1)
    >>>>># Date: 2004/11/11 09:35:39
    >>>>>
    >>>>># Global parameters
    >>>>>[global]
    >>>>> server string = Linux Server
    >>>>> interfaces = eth1
    >>>>> security = SHARE
    >>>>> preferred master = Yes
    >>>>> ldap ssl = no
    >>>>>
    >>>>>[Data]
    >>>>> path = /Data
    >>>>> admin users = root, admin, administrator
    >>>>> write list = root, admin, administrator
    >>>>> guest ok = Yes
    >>>>>
    >>>>>
    >>>>
    >>>># ll /Data
    >>>>
    >>>>$ man smb.conf
    >>>>
    >>>>writable = yes
    >>>>or
    >>>>writeable = yes
    >>>>both should be ok.
    >>>
    >>>
    >>>Tried that. Those two are synonyms for the read only attribute. I
    >>>tried setting the share attribute read only to no. I still couldn't
    >>>write to it.
    >>>
    >>>
    >>>
    >>>>valid users = mary fred
    >>>
    >>>
    >>>I set guest ok to yes. Shouldn't this allow any users on? I'm doing
    >>>this for testing right now. Is it possible that my XP box is
    >>>remembering the settings for that share from the first time it logged
    >>>in?
    >>>
    >>>What I do is I change the settings. I restart both smbd and nmbd. I
    >>>disconnect the drive that is mappened to the share. I re-connect and
    >>>try.
    >>>
    >>>
    >>>
    >>>>check your settings with
    >>>># testparm
    >>>>
    >>>>--
    >>>>shrek-m
    >>>>
    >>>>--
    >>>>fedora-list mailing list
    >>>>fedora-list@redhat.com
    >>>>To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
    >>>>
    >>>
    >>>
    >>>
    >>Have you tried chmod 777 /Data ? Or if you are using acls, setfacl -m
    >>u::groupnameallowedtowrite /Data
    >>
    >
    >
    > You know, I was gonna reply and say that I'd already done the
    > equivalent but when I checked I saw that I hadn't. Apparently chmod
    > has changed a bit. I remember being able to do a chmod +w and it would
    > set the write bit for user group and other. It was a shortcut way of
    > doing chmod ugo+w but apparently now it's only a shortcut for chmod
    > u+w.
    >
    > Anyway, I'd done a ls -ld on it and thought I'd set the write bit but
    > I hadn't. Soon as I set the write bit for group and other (Read
    > execute was already done) , disconnected and re-connected now it
    > works.
    >
    > But now I have another question. If I open it up to rwx for everyone
    > then any local user could mess with it. The permissions that it had
    > were what they needed to be for local users. The directory is owned by
    > root and part of the root group. root had rwx permission and everyone
    > else had only read and execute permission:
    >
    > drwxr-xr-x 4 root root 4096 Nov 11 11:36 /Data
    >
    > So since we know it's a permission thing how can I keep this directory
    > read only for everyone including local users and allow only root or
    > administrator over samba to write to it?
    Looks like you need to use ACLs - this is quite easy. First, check if
    you have support for ACLs (im not 100% but pretty sure its in kernel =>2.6):
    mount /whateverdiskitsmountedon -o remount,acl
    If this works, you are in business! - edit your /etc/fstab file and put
    acl in the options.
    It does not matter if you have only one partition, mount it with acl. If
    you used the default ext3 filesystem then you will almost certainly have
    acl support.

    Next you need to give access to various people:
    chown youruser /dirforsamba
    setfacl -m u:username:rwx /your/dir
    setfacl -m u:root:rwx /your/dir

    Have a google for setfacl and getfacl - check the man pages as well, its
    very useful.

    If you put `nt acl support = yes` in samba, you can now edit the ACLs
    through windows sa well (as long as you have write permission)

    Hope that helped 

    -- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
  • Next message: Satish Balay: "Re: Looking for pine for FC3"

    Relevant Pages

    • Re: Thinking outside the box on file systems
      ... The "/private" directory is readable only by root, since root is the only one who will be navigating you into these chroots for any reason. ... You only switch UID/GID after the chroot() call, at which point you are inside of a sub-context and your cwd is fully accessible. ... If you stick an inheritable ACL on "/private", then the "cwd" ACL will not allow access by anybody but root and my bind won't be able to read any config files. ... Say I untar 20 kernel source trees and then have my program open all 1000 available FDs to various directories in the kernel source tree. ...
      (Linux-Kernel)
    • Re: Unable to prevent OU deletion by Domain Admins?
      ... What isn't fine is making it appear as if an ACL can be set a certain ... Deny permissions take precedence over allow ... >> the list of permission entries in the DACL. ... >> You could modify the default domain admins permissions so that they no ...
      (microsoft.public.win2000.active_directory)
    • Re: Ports 0-1023?
      ... takes much more experience and knowledge, and most vendors are doing their ... privileges set just to save some time - just as we have some root daemons ... But it is not impossible to design a good ACL system. ...
      (Vuln-Dev)
    • Re: theoretical question - can roots username be changed?
      ... > root access, and defects could be devastating), it was ... > remote access required security compromise when doing debug ... I have used ACL on ... That is what SELinux provides, ...
      (Fedora)
    • Re: Thinking outside the box on file systems
      ... That may be the root, or it may be some other directory that you have a handle to, and thus, already has its effective acl computed. ... Now any process which had a cwd or open directory handle in "/cdrom" is STILL USING THE ACLs from when it was mounted as "/mnt/cdrom". ... You only switch UID/GID after the chroot() call, at which point you are inside of a sub-context and your cwd is fully accessible. ...
      (Linux-Kernel)
    Loading