-   Linux - Software (
-   -   Samba: protect write-enabled directory-tree for move or delete (

alexandrusa 02-22-2008 09:30 AM

Samba: protect write-enabled directory-tree for move or delete
Hi there,

I have a write-enabled Samba-share with a directory-tree (created by a script) that I would like to protect. The users should be able to read, write (edit, delete, create new files on all depths, create (unprotected) sub-directories) but not to alter the protected tree (i.e. delete or move folders). Does Samba offer the possibility to do that?

I have tried to set the Windows-side attributes in a way to achieve that (give write privileges, but not delete ones), but I just get an "permission denied"-error.

running Samba 3.0.28


weisso5 02-22-2008 10:09 AM

Yes, you can set samba shares to have special permissions. Here are the examples from the smb.conf.example:


#============================ Share Definitions ==============================
  comment = Home Directories
  browseable = no
  writable = yes
# You can enable VFS recycle bin on a per share basis:
# Uncomment the next 2 lines (make sure you create a
# .recycle folder in the base of the share and ensure
# all users will have write access to it. See
# examples/VFS/recycle/REAME in the samba docs for details
;  vfs object = /usr/lib/samba/vfs/

# Un-comment the following and create the netlogon directory for Domain Logons
; [netlogon]
;  comment = Network Logon Service
;  path = /var/lib/samba/netlogon
;  guest ok = yes
;  writable = no

# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;    path = /var/lib/samba/profiles
;    browseable = no
;    guest ok = yes
# This script can be enabled to create profile directories on the fly
# You may want to turn off guest acces if you enable this, as it
# hasn't been thoroughly tested.
;root preexec = PROFILE=/var/lib/samba/profiles/%u; if [ ! -e $PROFILE ]; \
;                then mkdir -pm700 $PROFILE; chown %u:%g $PROFILE;fi

# NOTE: If you have a CUPS print system there is no need to
# specifically define each individual printer.
# You must configure the samba printers with the appropriate Windows
# drivers on your Windows clients. On the Samba server no filtering is
# done. If you wish that the server provides the driver and the clients
# send PostScript ("Generic PostScript Printer" under Windows), you have
# to swap the 'print command' line below with the commented one.
  comment = All Printers
  path = /var/spool/samba
  browseable = no
# set to yes to allow user 'guest account' to print.
  guest ok = no
  writable = no
  printable = yes

# This share is used for Windows NT-style point-and-print support.
# To be able to install drivers, you need to be either root, or listed
# in the printer admin parameter above. Note that you also need write access
# to the directory and share definition to be able to upload the drivers.
# For more information on this, please see the Printing Support Section of
# /usr/share/doc/samba-<version>/Samba-HOWTO-Collection.pdf
  path = /var/lib/samba/printers
  browseable = yes
  read only = yes
  write list = @adm root
  guest ok = yes

# This one is useful for people to share files
;  comment = Temporary file space
;  path = /tmp
;  read only = no
;  public = yes

# A publicly accessible directory, but read only, except for people in
# the "staff" group
;  comment = Public Stuff
;  path = /home/samba/public
;  public = yes
;  writable = no
;  write list = @staff
# Audited directory through experimental VFS module:
# Uncomment next line.
;  vfs object = /usr/lib/samba/vfs/

# Other examples.
# A private printer, usable only by Fred. Spool data will be placed in Fred's
# home directory. Note that fred must have write access to the spool directory,
# wherever it is.
;  comment = Fred's Printer
;  valid users = fred
;  path = /homes/fred
;  printer = freds_printer
;  public = no
;  writable = no
;  printable = yes

# A private directory, usable only by Fred. Note that Fred requires write
# access to the directory.
;  comment = Fred's Service
;  path = /usr/somewhere/private
;  valid users = fred
;  public = no
;  writable = yes
;  printable = no

# a service which has a different directory for each machine that connects
# this allows you to tailor configurations to incoming machines. You could
# also use the %u option to tailor it by user name.
# The %m gets replaced with the machine name that is connecting.
;  comment = PC Directories
;  path = /usr/pc/%m
;  public = no
;  writable = yes

# A publicly accessible directory, read/write to all users. Note that all files
# created in the directory by users will be owned by the default user, so
# any user with access can delete any other user's files. Obviously this
# directory must be writable by the default user. Another user could of course
# be specified, in which case all files would be owned by that user instead.
;  path = /usr/somewhere/else/public
;  public = yes
;  only guest = yes
;  writable = yes
;  printable = no

# The following two entries demonstrate how to share a directory so that two
# users can place files there that will be owned by the specific users. In this
# setup, the directory should be writable by both users and should have the
# sticky bit set on it to prevent abuse. Obviously this could be extended to
# as many users as required.
;  comment = Mary's and Fred's stuff
;  path = /usr/somewhere/shared
;  valid users = mary fred
;  public = no
;  writable = yes
;  printable = no
;  create mask = 0765

Please let me know if you are having any problems. If you are, please post smb.conf and other information like Distro, and error log information.


jschiwal 02-22-2008 07:14 PM

You can create your directory structure like this:
sudo mkdir -p /srv/samba/share/{subdirectory1,subdirectory2}
sudo chmod rwxt /srv/samba/share/{subdirectory1,subdirectory2}

The "t" is what makes the directories sticky. Make sure to make the directory and the subdirectories you want protected sticky. The owner of the directory will be able to delete files inside, but another user will not be able to. If the owner is root that wouldn't be a problem.

alexandrusa 03-05-2008 09:44 AM

Thanks, thats exactly what I had in mind. I use this script to create my protected directory trees:


sudo mkdir '$new_dir'
sudo cp -R $sample_dir '$new_dir'
sudo find '$new_dir' -type d -exec chown root {} ';'
sudo find '$new_dir' -type f -exec chown sarale {} ';'
sudo find '$new_dir' -exec chgrp mygroup {} ';'
sudo find '$new_dir' -exec chmod 770 {} ';'
sudo find '$new_dir' -type d -exec chmod a+t {} ';'

All times are GMT -5. The time now is 04:48 AM.