samba share with write but not delete

Red Squirrel · 08-27-2004, 03:57 PM

Is there a way to set a samba share so you can write, but not delete? I want to make a backup share so automated programs can put all the backups there, but I don't want it to be possible for anything or anyone to delete them. I only want to be able to delete from linux (ex: going into ssh and using the rm command).

Is there a way this can be done?

Right now the way I have it is that I have a folder with write permissions that backups go to, then every day a script runs to move the files to a safer location, but I rather not have to move stuff twice like that.

Thanks in advance.

gani · 08-27-2004, 08:36 PM

Try this as root user:

# mkdir -p /usr/local/samba/backup
# chmod 1770 /usr/local/samba/backup

Put these in your smb.conf file under share definitions:

[Backup]

commnent = Backup file that only root can access
path = /usr/local/samba/backup
public = no
valid users = root @root
force create mode = 0770
force directory mode =0770

Hope this works.

Red Squirrel · 08-27-2004, 10:39 PM

Yeah but now nobody can access it period I still need to be able to access it from anywhere I just don't want to be able to delete, only write.

Is there something like "delete=no" that I could use?

gani · 08-28-2004, 02:13 AM

Are you logon as root? It's root that should only do the backup in this case beacause the "world" permission is "0" - no access, no other user and group that could access this, except root user and its built-in group.

Will you allow others to put their files here ( as you said as backup )? If they have write access to this directory, they can also delete the files they wrote.

Since in the first place you wanted that this will be used only as a central backup directory and you don't want anybody to be able to delete any content except only when you're logged on in Linux box, then root should only be the user that should be permitted or granted full access.

gani · 08-28-2004, 02:25 AM

The public = no assures that this is not a public directory for everybody, only the one that owns this. The valid users = root @root assures that only the user root and its built-in (root) group will only have access. And since you're loged-on as root the time you created this this directory, by default this is owned by root and its group.

If you can't still access this as root, try to omit the "public = no" parameter or do this:

# chmod 1775 /usr/local/samba/backup - I suggest you do this first.

Red Squirrel · 08-28-2004, 11:09 AM

So to access it I would just make a user in windows called root and make the backup happen under that user? (using scheduled tasks). But for my samba shares I use share level security and not user based so will it still work?

I figured this would be much simpler,

gani · 08-28-2004, 11:31 AM

No need to create a local root user in Windows. I'm not so sure. I thought it should be 777 permission if security is only share. To make sure, your security should be user and create all your windows users in Linux and in smbpasswd but give them different password from their unix passwords.

Then let them take ownership of their respective directories (# chown -R username.users). The user group is a built-in group in unix with GID=100 (see /etc/group).

Finally make your bakcup directory in Linux owned by root.root only (actually the default).

Red Squirrel · 08-29-2004, 06:12 PM

I was playing around and found an easier solution.

create mode =555

So it creates the files as read only so they can't be deleted. It does not seem to work for folders, but folders are less important then files, and if a folder contains a file it won't let me delete it. So it's exactly what I want.

I've been playing with stuff and have other questions but I'll start a new thread.