Permission to control read/write in Samba problem.

uncle-c · 10-21-2009, 07:42 AM

Hi there,
Utter confusion reigns !
Just some background first. Here is the ls -l output from the directory that I am sharing from my Samba server :

Code:

 $ ls -al

drwxrwx---  2 root   share  4096 2009-10-21 13:06 share

Note 770 permissions on the share directory.

The relevant part of the smb.conf file :

Code:

[linux-share]

path= /home/share

read only = no

 force group = share
 create mask = 0770
 force create mode = 0770

So any file created has 770 permissions and group owner is "share"
I have three samba accounts on the Samba server, myself (who is a member of the "share" group) , harry and max. Both max and harry are just ordinary users who have no login shell on the server, do not belong to any other groups and just have a samba login to upload files. Importantly, they are NOT in the share group.
The confusion arise when max and harry upload files.

(a) If the share directory is 770 owner root, group share, then why are they allowed to upload files? They are not in the group "share" and "other" does not have rwx permissions ???

(b) OK, so they can upload files and the files have 770 permissions as it states in the smb.conf, with owner being whoever uploaded the file and group being share. Below harry uploaded test.file. Here is the ls -l output :

Code:

[user@Linux /home]$ cd share
[user@Linux /home/share]$ ls -l
total *****
-rwxrwx--- 1 harry share       19 2009-10-21 13:27 test.file

[user@Linux /home/share]$

The file has inherited user( harry) ownership and group "share" as expected. The second problem is that when max logs into the share he can delete this file. How is this possible since he is not the owner of the file nor member of the "share" group ; /home/share (permissions 770) is owned by root and group owner is "share" and both max and harry do not belong to this group ?????

What I would eventually like is for both max and harry to be able to upload files but not read or delete each others files. The only person who should be able to read / write and delete other users' file is the person who belongs to group "share" i.e. me. I may have misunderstood permissions or have put the wrong permissions on the /home/share directory. A solution to this confusion would be highly appreciated !

cheers
C

fang0654 · 10-28-2009, 07:26 PM

Your problem is this:

Code:

force group = share

From the man page:

Quote:

This specifies a UNIX group name that will be assigned as the default primary group for all users connecting to this service.

So everyone who authenticates to that share, is interacting with it as if they were in the group 'share', regardless of whether they are or not.

If you want to make it so any files uploaded by yourself keep the same group name as the parent, if you are using an ext3 filesystem, you can do the following:

Code:

chmod g+s /home/share

Any files created in that folder afterwards will keep the same group ownership as that folder.

Edit:

After a little more reading of the man page myself, I see you can also do this:

Code:

force group = +share

This will only have them act as 'share' if they are already a member of that group.