Troubleshoot permissions in a Samba share

jstars · 10-26-2006, 10:20 PM

I am having trouble setting read-only permissions for my kids account on my home server (running Samba). I have set-up a documents share that I want my wife and I to have "rw-" access to, but my children only "r--" access (so they don't delete stuff).

I have several users on two different WinXP machines (PC1 and PC2) in my house. They are set-up in the following groups (taken from /etc/groups):

g-children:x:60006:children
g-parents:x:60007:alfred,parents,sophia
g-admin:x:60008:alfred

The following is an excerpt from the Samba config file for the "flex-documents" share:

[flex-documents]
path = /var/flexshare/shares/documents
comment = Documents
create mask = 0664
force group = g-parents
public = yes
browseable = yes
writeable = yes

However, when I log into a windows machine under the username "children", I still have write access to this share! I don't want my kids to delete family pictures by mistake! What am I doing wrong with the permissions???

chakkerz · 10-26-2006, 10:28 PM

# A publicly accessible directory, but read only, except for people in
# the "staff" group
;[public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = yes
; printable = no
; write list = @staff

so drop the force group and instead add write list = @g-parents

jstars · 10-26-2006, 11:34 PM

Works great, thanks. I no longer have write access to files I do not own when logged in as "children".

However, now I don't seem to have visibility to the contents of sub-directories when logged in as "children". For example, some share sub-directories have files in them, but these files are not visible when logged in as "children". They are only visible when logged in as "parents". Does this have something to do with "browseable" or "printable" options in Samba?

chakkerz · 10-26-2006, 11:38 PM

yeah
it's the browseable option

jstars · 10-27-2006, 04:28 PM

Okay, I played with the browseable option but I couldn't seem to get it to work. Instead I looked at the linux file permissions. I read somewhere that to access the contents of a directory, the user must have execute permission to the directory. Therefore I did a "chmod o=rx * -R -v" to the share. This recursively made ALL files and directories executable to "other" users (Not the best idea, but I don't know how to restrict the command to just directories). Anyway the contents of directories can now be accessed in the children account now.

Accordingly I changed the samba share create mask from "0664" to "0665".

I'm new to linux permissions. If someone can show me how to make just the directories executable, that would be appreciated.

chakkerz · 10-29-2006, 03:18 PM

Elaborate example follows:

None the less use the find comand at the root you require looking for type d(irectory)

ie find ./tester -type d

and use that in your chmod as the target for the chmod command

ie chmod 711 `find ./tester -type d`

NOTE those quotes are the charater under the tilde/~ (usually next to the 1)

SO the setup for the test:

Quote:

[chakkerz@tigerente ~]$ mkdir tester
[chakkerz@tigerente ~]$ cd tester
[chakkerz@tigerente tester]$ touch something else test 1 2 3 4
[chakkerz@tigerente tester]$ mkdir directory
[chakkerz@tigerente tester]$ touch directory/1 directory/2 directory/3
[chakkerz@tigerente tester]$ ls -F
1 2 3 4 directory/ else something test
[chakkerz@tigerente another]$ touch test you me and irene
[chakkerz@tigerente another]$ ls
and irene me test you

The verification, change and final verification (and a type f for good measure)

:

Quote:

[chakkerz@tigerente ~]$ cd ~
[chakkerz@tigerente ~]$ ls -ld `find ./tester/ -type d`
drwxrwx--- 3 chakkerz chakkerz 4096 Oct 30 07:11 ./tester/
drwxrwx--- 3 chakkerz chakkerz 4096 Oct 30 07:12 ./tester/directory
drwxrwx--- 2 chakkerz chakkerz 4096 Oct 30 07:12 ./tester/directory/another
[chakkerz@tigerente ~]$ chmod 711 `find ./tester/ -type d`
[chakkerz@tigerente ~]$ ls -ld `find ./tester/ -type d`
drwx--x--x 3 chakkerz chakkerz 4096 Oct 30 07:11 ./tester/
drwx--x--x 3 chakkerz chakkerz 4096 Oct 30 07:12 ./tester/directory
drwx--x--x 2 chakkerz chakkerz 4096 Oct 30 07:12 ./tester/directory/another
[chakkerz@tigerente ~]$ ls -ld `find ./tester/ -type f`
-rw-rw---- 1 chakkerz chakkerz 0 Oct 30 07:11 ./tester/1
-rw-rw---- 1 chakkerz chakkerz 0 Oct 30 07:11 ./tester/2
-rw-rw---- 1 chakkerz chakkerz 0 Oct 30 07:11 ./tester/3
-rw-rw---- 1 chakkerz chakkerz 0 Oct 30 07:11 ./tester/4
-rw-rw---- 1 chakkerz chakkerz 0 Oct 30 07:11 ./tester/directory/1
-rw-rw---- 1 chakkerz chakkerz 0 Oct 30 07:11 ./tester/directory/2
-rw-rw---- 1 chakkerz chakkerz 0 Oct 30 07:11 ./tester/directory/3
-rw-rw---- 1 chakkerz chakkerz 0 Oct 30 07:12 ./tester/directory/another/and
-rw-rw---- 1 chakkerz chakkerz 0 Oct 30 07:12 ./tester/directory/another/irene
-rw-rw---- 1 chakkerz chakkerz 0 Oct 30 07:12 ./tester/directory/another/me
-rw-rw---- 1 chakkerz chakkerz 0 Oct 30 07:12 ./tester/directory/another/test
-rw-rw---- 1 chakkerz chakkerz 0 Oct 30 07:12 ./tester/directory/another/you
-rw-rw---- 1 chakkerz chakkerz 0 Oct 30 07:11 ./tester/else
-rw-rw---- 1 chakkerz chakkerz 0 Oct 30 07:11 ./tester/something
-rw-rw---- 1 chakkerz chakkerz 0 Oct 30 07:11 ./tester/test

jstars · 10-29-2006, 05:10 PM

Holy schniky! Thanks. But now that I have made every file and directory executable, how do I do the inverse of `find ./tester -type d`? That is, apply the chmod to every item other than directories.

Surely I can't say `find ./tester -type b c p f l s D` or is there a better way?

chakkerz · 10-29-2006, 06:33 PM

BANG !

use a ! (not) to negate the type and invert the search request

Quote:

[chakkerz@tigerente ~]$ find ./tester/ ! -type d
./tester/2
./tester/4
./tester/3
./tester/test
./tester/something
./tester/else
./tester/1
./tester/directory/2
./tester/directory/3
./tester/directory/1
./tester/directory/another/you
./tester/directory/another/irene
./tester/directory/another/me
./tester/directory/another/and
./tester/directory/another/test

jstars · 10-29-2006, 10:53 PM

Sweet. Thanks.