LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Prevent directory moving and renaming on samba share (https://www.linuxquestions.org/questions/linux-networking-3/prevent-directory-moving-and-renaming-on-samba-share-4175731293/)

mfoley 11-27-2023 02:21 PM
Prevent directory moving and renaming on samba share
 
I have a Samba shared network drive. It's smb.conf attributes are:
Code:
readonly = no
locking = yes
public = yes
printable = no
create mask = 0660
force user = user
force group = group
force create mode = 0660
directory mask = 2771
This important bit here is that the user.group is forced to (obfuscated) user.group. The Windows clients access this mapped drive as that user and group.

All that works fine in that all Windows users can read/update any files and folders on this share.

However, I now want some of the directories to have unchangeable names since certain paths get stored in the database. For example I need:
Code:
drwxrwx--x 14 user  group    4096 2022-12-22 10:12 Accts\ Payable\ -\ ofc/
to never allow users to change its name. Other solutions, such as changing the owner to root.root won't work because the entire volume is shared as owner user.group.

Can this be done?

wpeckham 11-28-2023 05:40 PM
The ONLY way I know to get that behavior is to allow only READ ONLY access on those files and folders, and in some cases even THAT does not suffice.

At a previous work location I advised to allow access using SAMBA only to a select group, and make the rest operate clients over network using only the application protocol or SFTP protocol. Where they did not take my advice remediation for accidental file or folder moves was routine.

(( I am not always right, but when I am I remember FOREVER! ;-) ))

rkelsen 11-28-2023 06:02 PM
Quote:
Originally Posted by mfoley (Post 6467102)
However, I now want some of the directories to have unchangeable names since certain paths get stored in the database. For example I need:
Code:
drwxrwx--x 14 user  group    4096 2022-12-22 10:12 Accts\ Payable\ -\ ofc/
to never allow users to change its name. Other solutions, such as changing the owner to root.root won't work because the entire volume is shared as owner user.group.

Can this be done?
In short: No.

As noted by wpeckham, accidental file or folder moves are a 'feature' of Windows/SMB file shares. You can't disable drag & drop in Windows, so any Windows user who has permissions to write to that share can cause havoc. If you do a search, you will find many, many forum posts by exasperated admins about this very big problem.

What I've done at the office on the client machines is something like this: https://www.top-password.com/blog/di...in-windows-10/ It doesn't disable drag and drop, just decreases its sensitivity. Users will complain about their computer being slow to respond, but it does go some way to preventing accidental moves. If you're running an AD server, you might be able to set this as group policy, but I don't know because I haven't tried.

mfoley 11-28-2023 10:39 PM
hmm, that sucks. So I can't even use Access Control Lists for this?

pan64 11-29-2023 12:51 AM
is it an ext4 filesystem (that you want to access from windows)? Or?

rkelsen 11-29-2023 05:46 PM
Quote:
Originally Posted by mfoley (Post 6467376)
hmm, that sucks. So I can't even use Access Control Lists for this?
You probably could, if you only have one or even just a few directories to protect... but it'd be on a per-directory basis, and a PITA to administer if you have to change something... Not something you'd want to do if you had tens or hundreds of directories.

There is another solution: https://github.com/broken-e/DragDropConfirm. This causes a confirmation dialog box to pop-up every time someone tries to move or rename a file or directory. You'd need to install it at the client end... and trust that your users aren't stupid enough to click OK instead of Cancel.


All times are GMT -5. The time now is 04:33 PM.