SAMBA permissions

I have a fileserver running openSUSE 11.2 and samba services for file access from MS Windows based workstations. My question relates to changing default permissions on files and directories created from the windows clients.

Following are extracts of the /etc/samba/smb.conf file :

[myshare]
create mask = 0770
directory mask = 0770
inherit acls = yes

Even with the above entries, sometimes there are files and directories created by the windows clients having permission

drwxr-x— (for directories)
drwxrw---- (for files)

Probably my lack of understanding in ACLS. Can anyone help ?

Do you want them to be always drwxr-xr-x (or what)?
And, what is the full content of the [stanza] defining the share in smb.conf?
And, what are the permissions and ownership on the shared folder?

G’day Swerdna! Actually, I want to be able to control the permission settings for all directories and files created by the windows clients. I seem to able to achieve that for some login users but some not behaving as expected. For instance, certain samba users (valid usernames in openSUSE and identical names created using ‘smbpasswd -a’ command) behave as expected, i.e. directories and files permissions follow the “create mask” and “directory mask”, but some users do not? I dont want to use the “force user” setting as I want to know which user created the object (directory or file).

Sample of global and share as follows :

[global]
workgroup = OPENSUSEWG
netbios name = LINUXBOX
name resolve order = bcast host lmhosts wins
passdb backend = tdbsam
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \%L\profiles.msprofile
logon home = \%L%U.9xprofile
logon drive = P:
usershare allow guests = Yes
add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$
domain logons = No
domain master = No
security = user
wins support = No
wide links = No
local master = Yes
os level = 65
preferred master = yes

[projects]
comment = Projects Files
inherit acls = Yes
path = /home/Projects
read only = No
directory mask = 0770
create mask = 0770

rick@opensuse-rick:/home> ls -l
total 36
drwxrwx— 23 root project 4096 2010-03-10 09:46 Projects

On a separate note (which is ultimately my wish), is there any way to set the group of an object (directory or file) created by the windows client, depending on the group name of the directory in which the object is being created ? I noticed that currently, the group is set depending on the “Default Group” that the openSUSE username belongs to.

For example, a user “John” may belong to several groups (say “Accounts” and “Projects”) and I want to ensure that users other than “John” (say, “Jane” who belongs to the “Projects” group) can also read and write “Projects” objects created by “John”, but not “Accounts” objects created by “John”. Is this too complicated ?

On Wed March 10 2010 04:06 am, rickliaw wrote:

>
> swerdna;2133670 Wrote:
>> Do you want them to be always drwxr-xr-x (or what)?
>>
> G’day Swerdna! Actually, I want to be able to control the permission
> settings for all directories and files created by the windows clients.
> I seem to able to achieve that for some login users but some not
> behaving as expected. For instance, certain samba users (valid
> usernames in openSUSE and identical names created using ‘smbpasswd -a’
> command) behave as expected, i.e. directories and files permissions
> follow the “create mask” and “directory mask”, but some users do not? I
> dont want to use the “force user” setting as I want to know which user
> created the object (directory or file).
>
> swerdna;2133670 Wrote:
>>
>> And, what is the full content of the [stanza] defining the share in
>> smb.conf?
>>
>
> Sample of global and share as follows :
>
> [global]
> workgroup = OPENSUSEWG
> netbios name = LINUXBOX
> name resolve order = bcast host lmhosts wins
> passdb backend = tdbsam
> printing = cups
> printcap name = cups
> printcap cache time = 750
> cups options = raw
> map to guest = Bad User
> include = /etc/samba/dhcp.conf
> logon path = \%L\profiles.msprofile
> logon home = \%L%U.9xprofile
> logon drive = P:
> usershare allow guests = Yes
> add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody
> -s /bin/false %m$
> domain logons = No
> domain master = No
> security = user
> wins support = No
> wide links = No
> local master = Yes
> os level = 65
> preferred master = yes
>
> [projects]
> comment = Projects Files
> inherit acls = Yes
> path = /home/Projects
> read only = No
> directory mask = 0770
> create mask = 0770
>
>
> swerdna;2133670 Wrote:
>>
>> And, what are the permissions and ownership on the shared folder?
>
> rick@opensuse-rick:/home> ls -l
> total 36
> drwxrwx— 23 root project 4096 2010-03-10 09:46 Projects
>
> On a separate note (which is ultimately my wish), is there any way to
> set the group of an object (directory or file) created by the windows
> client, depending on the group name of the directory in which the object
> is being created ? I noticed that currently, the group is set depending
> on the “Default Group” that the openSUSE username belongs to.
>
> For example, a user “John” may belong to several groups (say “Accounts”
> and “Projects”) and I want to ensure that users other than “John” (say,
> “Jane” who belongs to the “Projects” group) can also read and write
> “Projects” objects created by “John”, but not “Accounts” objects created
> by “John”. Is this too complicated ?
>
>
rickliaw;

Its not clear what permissions you expect. The “directory mask” and “create
mask” are ANDed into the permissions. Thus 770 removes permissions for
others but preservers permissions for owner and group. The “force create
mode” and “force directory mode” parameters can assure the bits you want are
set. The values in these later parameters are ORed into the permissions
after the mask is applied.

Chapter 15 of the “Official Samba3 HOWTO” gives a full write up on
permissions. See:
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html

As for the second part of your question, AFAIK you can not do this on a per
file bases. However you could create multiple shares and use the “valid
users” parameter to control access. For example:


valid users = @projects
or
valid users = @projects, @accounts


P. V.
“We’re all in this together, I’m pulling for you.” Red Green

Swerdna,

Thanks! The “force create mode” and “force directory mode” are what I wanted to do (I had not understood fully the “create mask” and “directory mask” before). Sorry I hadnt made my query clear before, i.e. I wanted all files and directories created by windows clients to have default permission -rwxrwx— (0770).

On the second point, the suggested approach still does not resolve what I wanted to achieve. In my example before,

Jane belongs to group “Projects”, default group “Projects”
John belongs to group “Projects” and “Accounts”, default group “Accounts”

Using the shares as suggested :

[Projects]
valid users = @Projects

[Accounts]
valid users = @Accounts

Note that John can create files in “Projects” directory but the default group would be “Accounts” which Jane could not access as she does not belong to the “Accounts” group.

I hope the above illustrates more clearly my point.

(BTW, what does AFAIK stand for?)

On Wed March 10 2010 08:56 pm, rickliaw wrote:

>
> Swerdna,
>
> Thanks! The “force create mode” and “force directory mode” are what I
> wanted to do (I had not understood fully the “create mask” and
> “directory mask” before). Sorry I hadnt made my query clear before, i.e.
> I wanted all files and directories created by windows clients to have
> default permission -rwxrwx— (0770).
>
> On the second point, the suggested approach still does not resolve what
> I wanted to achieve. In my example before,
>
> Jane belongs to group “Projects”, default group “Projects”
> John belongs to group “Projects” and “Accounts”, default group
> “Accounts”
>
> Using the shares as suggested :
>
> [Projects]
> valid users = @Projects
>
> [Accounts]
> valid users = @Accounts
>
> Note that John can create files in “Projects” directory but the default
> group would be “Accounts” which Jane could not access as she does not
> belong to the “Accounts” group.
>
> I hope the above illustrates more clearly my point.
>
> (BTW, what does AFAIK stand for?)
>
>
rickliaw;

AFAIK = “As far as I know”

If you do not have a lot of users you can also list users by name with “valid
users”


valid users = jane, john
or
valid users = john

Of course if you have a lot of users, or they change frequently,
administration will be a pain in the Alpha Sigma Sigma.

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

Swerdna:

Thanks again for updating me on yet another acronym which will come handy (AFAIK).

On the suggested “valid users” control, I still think you may not have fully understood the scenario explained. Another attempt to explain the “problem” below …

Jane belongs to group “Projects”, default group set to “Projects”
John belongs to group “Projects” and “Accounts”, default group set to “Accounts”

Using the shares as suggested :

[Projects]
valid users = John, Jane

[Accounts]
valid users = John

Note that John can create files in “Projects” directory but the default group would be “Accounts” which Jane could not access as she does not belong to the “Accounts” group. The intention is to set all files in the “Projects” directory so that all users belonging to the “Projects” group can access such files, although the user who created the files (in the “Projects” directory) may have default group setting to another group other than the “Projects” group.

Appreciate your help so far…

On Wed March 10 2010 11:16 pm, rickliaw wrote:

>
> Swerdna:
>
> Thanks again for updating me on yet another acronym which will come
> handy (AFAIK).
>
> On the suggested “valid users” control, I still think you may not have
> fully understood the scenario explained. Another attempt to explain the
> “problem” below …
>
>
> Jane belongs to group “Projects”, default group set to “Projects”
> John belongs to group “Projects” and “Accounts”, default group set to
> “Accounts”
>
> Using the shares as suggested :
>
> [Projects]
> valid users = John, Jane
>
> [Accounts]
> valid users = John
>
> Note that John can create files in “Projects” directory but the default
> group would be “Accounts” which Jane could not access as she does not
> belong to the “Accounts” group. The intention is to set all files in
> the “Projects” directory so that all users belonging to the “Projects”
> group can access such files, although the user who created the files (in
> the “Projects” directory) may have default group setting to another
> group other than the “Projects” group.
>
> Appreciate your help so far…
>
>
rickliaw;

You could rethink your groups or; you could allow “others” access. In the
later case there could be a security problem only if there is direct access
to the linux directories that is not through Samba. Access from Windows
would be controlled by the valid users.

Another alternative would be to use the “force user” or “force group”
parameter. I know you originally did not wish to use these, but to achieve
your aims it may me necessary.

(PS: Just to protect Swerdna’s good name, I’m not him.)

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

Could you please elaborate a little bit more on that ? (how to achieve the intended permissions settings)

On Wed March 10 2010 11:49 pm, PV wrote:

> On Wed March 10 2010 11:16 pm, rickliaw wrote:
>
>>
>> Swerdna:
>>
>> Thanks again for updating me on yet another acronym which will come
>> handy (AFAIK).
>>
>> On the suggested “valid users” control, I still think you may not have
>> fully understood the scenario explained. Another attempt to explain the
>> “problem” below …
>>
>>
>> Jane belongs to group “Projects”, default group set to “Projects”
>> John belongs to group “Projects” and “Accounts”, default group set to
>> “Accounts”
>>
>> Using the shares as suggested :
>>
>> [Projects]
>> valid users = John, Jane
force group = Projects
>>
>> [Accounts]
>> valid users = John

>>
>> Note that John can create files in “Projects” directory but the default
>> group would be “Accounts” which Jane could not access as she does not
>> belong to the “Accounts” group. The intention is to set all files in
>> the “Projects” directory so that all users belonging to the “Projects”
>> group can access such files, although the user who created the files (in
>> the “Projects” directory) may have default group setting to another
>> group other than the “Projects” group.
>>
>> Appreciate your help so far…
>>
>>
> rickliaw;
>
> You could rethink your groups or; you could allow “others” access. In the
> later case there could be a security problem only if there is direct access
> to the linux directories that is not through Samba. Access from Windows
> would be controlled by the valid users.
>
> Another alternative would be to use the “force user” or “force group”
> parameter. I know you originally did not wish to use these, but to achieve
> your aims it may me necessary.
>
> (PS: Just to protect Swerdna’s good name, I’m not him.)
rickliaw;

Just to clarify


>> [Projects]
>> valid users = John, Jane
force group = Projects
>>
>> [Accounts]
>> valid users = John
force group = Accounts

The files in [Projects] will all belong to @Projects
The files in [Accounts] will all belong to @Accounts

When John connects to [Projects] his files will be created with John:Projects
When John connects to [Accounts] his files will be created with John:Accounts

When Jane connects to [Projects] she will be in group [Projects] she will be
in group Projects. When Jane connects to [Accounts] access will be denied.
Even if Jane connects via ssh she will be denied access to the files created
in [Accounts].

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

On Thu March 11 2010 12:36 am, rickliaw wrote:

>
> venzkep;2134440 Wrote:
>>
>> You could rethink your groups;
>>
>
> Could you please elaborate a little bit more on that ? (how to achieve
> the intended permissions settings)
>
>
This is what I had in mind:
Primary group Projects. Members Jane and John
Secondary group Accounts. Member John
(i.e. both John and Jane are in Projects only John in Accounts)


[share1]
valid users = @Projects
....
[Share2]
valid users = @Accounts

Both John and Jane can access [Share1] but only John can access [Share2]since
Jane is not a member of Accounts.

(Note: I’ve never actually tried this but group membership should be
determined via Linux groups. I normally use the ideas of my earlier post)


P. V.
“We’re all in this together, I’m pulling for you.” Red Green

Wow! I do believe you done it! So SIMPLE and I just didnt think of that before! (using “force group” control in the respective share)

THANKS !!!

On Thu March 11 2010 12:59 am, PV wrote:

> On Thu March 11 2010 12:36 am, rickliaw wrote:
>
>>
>> venzkep;2134440 Wrote:
>>>
>>> You could rethink your groups;
>>>
>>
>> Could you please elaborate a little bit more on that ? (how to achieve
>> the intended permissions settings)
>>
>>
> This is what I had in mind:
> Primary group Projects. Members Jane and John
> Secondary group Accounts. Member John
> (i.e. both John and Jane are in Projects only John in Accounts)
>


> [share1]
> valid users = @Projects
> ...
> [Share2]
> valid users = @Accounts
> 

> Both John and Jane can access [Share1] but only John can access
[Share2]since
> Jane is not a member of Accounts.
>
> (Note: I’ve never actually tried this but group membership should be
> determined via Linux groups. I normally use the ideas of my earlier post)
>
rickliaw;

Also consider the setgid bit on the directory. See:
http://en.wikipedia.org/wiki/Setuid
for information on how this affects directories.

Remember, Samba obeys Linux permissions. This is an alternative to using the
force group parameter.

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

On Thu March 11 2010 01:16 am, rickliaw wrote:

>
> Wow! I do believe you done it! So SIMPLE and I just didnt think of that
> before! (using “force group” control in the respective share)
>
> THANKS !!!
>
>
rickliaw;

To steal from the lines of an old song: “There must be a thousand ways to set
permissions”. Glad to help you out.

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

Thanks! That wikipedia link helped clear my (lack of) understanding on use of sticky bit for directories in *nix based file system.:slight_smile: