Prevent directory moving and renaming on samba share
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Prevent directory moving and renaming on samba share
I have a Samba shared network drive. It's smb.conf attributes are:
Code:
readonly = no
locking = yes
public = yes
printable = no
create mask = 0660
force user = userforce group = group
force create mode = 0660
directory mask = 2771
This important bit here is that the user.group is forced to (obfuscated) user.group. The Windows clients access this mapped drive as that user and group.
All that works fine in that all Windows users can read/update any files and folders on this share.
However, I now want some of the directories to have unchangeable names since certain paths get stored in the database. For example I need:
Code:
drwxrwx--x 14 user group 4096 2022-12-22 10:12 Accts\ Payable\ -\ ofc/
to never allow users to change its name. Other solutions, such as changing the owner to root.root won't work because the entire volume is shared as owner user.group.
The ONLY way I know to get that behavior is to allow only READ ONLY access on those files and folders, and in some cases even THAT does not suffice.
At a previous work location I advised to allow access using SAMBA only to a select group, and make the rest operate clients over network using only the application protocol or SFTP protocol. Where they did not take my advice remediation for accidental file or folder moves was routine.
(( I am not always right, but when I am I remember FOREVER! ;-) ))
However, I now want some of the directories to have unchangeable names since certain paths get stored in the database. For example I need:
Code:
drwxrwx--x 14 user group 4096 2022-12-22 10:12 Accts\ Payable\ -\ ofc/
to never allow users to change its name. Other solutions, such as changing the owner to root.root won't work because the entire volume is shared as owner user.group.
Can this be done?
In short: No.
As noted by wpeckham, accidental file or folder moves are a 'feature' of Windows/SMB file shares. You can't disable drag & drop in Windows, so any Windows user who has permissions to write to that share can cause havoc. If you do a search, you will find many, many forum posts by exasperated admins about this very big problem.
What I've done at the office on the client machines is something like this: https://www.top-password.com/blog/di...in-windows-10/ It doesn't disable drag and drop, just decreases its sensitivity. Users will complain about their computer being slow to respond, but it does go some way to preventing accidental moves. If you're running an AD server, you might be able to set this as group policy, but I don't know because I haven't tried.
hmm, that sucks. So I can't even use Access Control Lists for this?
You probably could, if you only have one or even just a few directories to protect... but it'd be on a per-directory basis, and a PITA to administer if you have to change something... Not something you'd want to do if you had tens or hundreds of directories.
There is another solution: https://github.com/broken-e/DragDropConfirm. This causes a confirmation dialog box to pop-up every time someone tries to move or rename a file or directory. You'd need to install it at the client end... and trust that your users aren't stupid enough to click OK instead of Cancel.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.