Samba: How to set permissions on subfolders for different users.

adewri · 08-24-2003, 11:00 AM

Hi All,

This is my first post on this forum. And i have a question on SAMBA. I would be greatful if any one could help me out.

Problem description:

We had a windows fileserver, which crashed (thanks to MS and its lousy OS). I have some how convinced others to move the fileserver to linux platform. I have configured the samba server and its running well (Accessible on windows network). Have also started moving the files from windows to Linux.

Now the problem is that in windows there is an option of setting security on subfolders. Like say i have a shared folder d:\ForAll and subfolders d:\ForAll\ForTim and d:\ForAll\ForJohn. And user Tim has -rw- permission on d:\ForAll\ForTim but only -r- permission on d:\ForAll\ForJohn and similarly John has -rw- permission on d:\ForAll\ForJohn but only -r- permission on d:\ForAll\ForTim. OK this can be achieved by using write list and read list parameter in smb.conf.

What i did was on linux

Code:

[ForAll]
       path = /forall
       browseable = yes
       guest ok = yes
       writeable = yes
       create mask = 744
       write list = john tim

[ForTim]
       path = /forall/fortim
       browseable = yes
       guest ok = yes
       writeable = yes
       create mask = 744
       write list = tim
       read list = john

[ForJohn]
       path = /forall/forjohn
       browseable = yes
       guest ok = yes
       writeable = yes
       create mask = 744
       write list = john
       read list = tim

All set now, but i want to see only the shared folder ForAll on the network neighbourhood and not its subfolders. Now is it possible to hide the shared subfolders or to be more precise set permissions on same subfolders based on different user requirements.

Will setting browseable = no do the trick ? Won't it hide the subfolders when i open the parent folder ForAll cos i don't want that. I just want the subfolders not to be visible only while browing the Network Neighbourhood.

I hope im clear in explaining my problem.

OS is Redhat Linux 9.0 and SAMBA server is 2.2.7a

Regards

Amar

lyle_s · 08-24-2003, 12:48 PM

I'm not a Samba expert, but setting browseable = no in the ForTim and ForJohn shares will prevent them from being seen in Network Neighborhood. Browsing in SMB/CIFS means looking through the computers and shares (like when looking around in Network Neighborhood), and isn't anything to do with the hiding of folders within shares.

Please verify that tim can't write inside of /forall/forjohn when connecting through the ForAll share. Since tim is on the write list for share ForAll, and he can get into /forall/forjohn through the ForAll share, it stands to reason that he might be able to write there. Again, I'm not an expert so just make sure.

Most of what I know about Samba is from this article: http://www.linux-mag.com/2001-05/smb_01.html.

Lyle

mcleodnine · 08-24-2003, 01:18 PM

Here's a rule set I've been using with some success in Samba

Code:

[public]
        comment = Locally Shared Folder
        path = /pub
        read only = No
        create mask = 0755
        directory mask = 0775

members of the group can read, create files and directories.
only the owner can delete files or directories
members can create files in other members' directories

So if tim creates a file, others can read it, but not write to it.
If tim creates a directory others can add new stuff to it and read files in it, but only file owners can modify/delete files.

You'll need to set the sticky bit on the top directory ('chmod +t /topdir)

Code:

drwxrwxr-t   56 nobody     users        3424 Aug  9 11:42 pub/

adewri · 08-25-2003, 11:01 AM

lyle_s, mcleodnine thanks for your help...

lyle_s you are right about the part that if i set write list on /ForAll folder then that permission is propagated to child folders as well and hence if i give write list=tim john then both will be able to write on the subfolders even if i mention read list = john for /ForAll/fortim.

So what i did was spread out the subfolders as folders directly. No more subfolders. All folders will be parent.

And mcleodnine sticky bit part was very helpful....

But i was wondering, what if in future more subfolders are created then if i have to create every subfolder as parent folder then i have to say that windows folder security level is better than SAMBA's. I think Andrew Tridgell need to do something about this.

Regards
Amar