I am a new Samba user so forgive my ignorance. I am using Samba version 2.0.6 on HP UX 11 and I need to use the "security mask" parameter to prevent even the owner of a file from changing the read only attribute (by right clicking on the file from a Windows NT 4.0 desktop) if the file is read only (Unix permissions: 0440). This is what I have in the "smb.conf" file: [global] nt acl support = no ... [share] ... security mask = 0000 create mask = 0640 force create mode = 0000 ... But it doesn't do what I want it to do and which is what it's supposed to do according to the documentation. Is there anybody that have an idea how to this work? Please help. Please send me an email. Thanks. Mohammed Maati.
Hello Mohammed, I took a brief look at the dosmode.c code, where I <think> this should be handled, and it doesn't seem to ever check or use the security mask before it attempts the chmod... bottom line, I don't think this feature is implemented... I've copied the samba technical list, so maybe one of the samba team can comment on this... -----Original Message----- From: Mohammed_Maati@BIOGEN.COM [mailto:Mohammed_Maati@BIOGEN.COM] Sent: Wednesday, May 09, 2001 17:00 To: samba@lists.samba.org Subject: The "security mask" parameter I am a new Samba user so forgive my ignorance. I am using Samba version 2.0.6 on HP UX 11 and I need to use the "security mask" parameter to prevent even the owner of a file from changing the read only attribute (by right clicking on the file from a Windows NT 4.0 desktop) if the file is read only (Unix permissions: 0440). This is what I have in the "smb.conf" file: [global] nt acl support = no ... [share] ... security mask = 0000 create mask = 0640 force create mode = 0000 ... But it doesn't do what I want it to do and which is what it's supposed to do according to the documentation. Is there anybody that have an idea how to this work? Please help. Please send me an email. Thanks. Mohammed Maati. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
I agree, Jeremy - it's certainly not something that you could implement on an NT server - not with DOS modes. Now, you COULD make a file readonly via ntacls, and restrict the creator/owner from changing those permissions, but I don't think we need to provide that outside of whatever acl support the underlying OS allows... Heck, you can't even do that to a UNIX user.... don -----Original Message----- From: Jeremy Allison [mailto:jeremy@valinux.com] Sent: Wednesday, May 09, 2001 17:36 To: MCCALL,DON (HP-USA,ex1) Cc: 'Mohammed_Maati@BIOGEN.COM'; samba@lists.samba.org; 'samba-technical@samba.org' Subject: Re: The "security mask" parameter "MCCALL,DON (HP-USA,ex1)" wrote:> > Hello Mohammed, > I took a brief look at the dosmode.c code, where I <think> this should be > handled, and it doesn't seem to ever check or use the security mask before > it attempts the chmod... > bottom line, I don't think this feature is implemented... > I've copied the samba technical list, so maybe one of the samba team can > comment on this...You're right. It was implemented, but got removed by accident in the POSIX ACL rewrite. To be honest I don't think it's usefull, so I think the best course of action is to remove it and also remove the docs. Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
I guess that this means that there is no way (in Samba with the parameter
"nt acl support" set to false) to prevent a user from taking off the
read
only attribute (from his NT 4 box) of his files if I change them to read
only from the Unix box?
Thanks for your help.
Mohammed.
Jeremy Allison <jeremy@valinux.com>@valinux.com on 05/09/2001 06:51:18 PM
Sent by: jeremy@valinux.com
To: "MCCALL,DON (HP-USA,ex1)" <don_mccall@hp.com>
cc: "'Mohammed_Maati@BIOGEN.COM'"
<Mohammed_Maati@BIOGEN.COM>,
samba@lists.samba.org, "'samba-technical@samba.org'"
<samba-technical@samba.org>
Subject: Re: The "security mask" parameter
"MCCALL,DON (HP-USA,ex1)" wrote:>
> I agree, Jeremy - it's certainly not something that you could implement
on> an NT server - not with DOS modes.
> Now, you COULD make a file readonly via ntacls, and restrict the
> creator/owner from changing those permissions, but I don't think we
need
to> provide that outside of whatever acl support the underlying OS allows...
> Heck, you can't even do that to a UNIX user....
Actually, after talking with Gerald (who wants it to work
the way it did in 2.0.x), he's pointed out that it is actually
the "restrict acls with mask" parameter I added recently that
is the redundent parameter that should be removed.
If I set the security mask/dir security mask = 0777
and force security mode/force dir security mode = 0
and *always* apply these on ACL set, then we get exactly
the default behaviour we have now (no masks, user gets
exactly what they set in the ACL), but still provide
the capability for an admin to set masks on ACL sets
for user/group and world, without disturbing the create
masks.
Not that anyone actually uses these, as this was *completely*
broken in 2.2.0 :-) :-). But this is actually the more
generic solution (that 99.99999% of people will never need
to change :-).
Jeremy.
--
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------
Well Mohammed,
You could put the files that you want to ALWAYS be readonly into a separate
share,
and use the 'read only = yes' share option on that share; then the user
would not
be able to modify the permissions.
Hope this helps,
Don
-----Original Message-----
From: Mohammed_Maati@BIOGEN.COM [mailto:Mohammed_Maati@BIOGEN.COM]
Sent: Thursday, May 10, 2001 8:59 AM
To: Jeremy Allison
Cc: MCCALL,DON (HP-USA,ex1); samba@lists.samba.org;
'samba-technical@samba.org'
Subject: Re: The "security mask" parameter
I guess that this means that there is no way (in Samba with the parameter
"nt acl support" set to false) to prevent a user from taking off the
read
only attribute (from his NT 4 box) of his files if I change them to read
only from the Unix box?
Thanks for your help.
Mohammed.
Jeremy Allison <jeremy@valinux.com>@valinux.com on 05/09/2001 06:51:18 PM
Sent by: jeremy@valinux.com
To: "MCCALL,DON (HP-USA,ex1)" <don_mccall@hp.com>
cc: "'Mohammed_Maati@BIOGEN.COM'"
<Mohammed_Maati@BIOGEN.COM>,
samba@lists.samba.org, "'samba-technical@samba.org'"
<samba-technical@samba.org>
Subject: Re: The "security mask" parameter
"MCCALL,DON (HP-USA,ex1)" wrote:>
> I agree, Jeremy - it's certainly not something that you could implement
on> an NT server - not with DOS modes.
> Now, you COULD make a file readonly via ntacls, and restrict the
> creator/owner from changing those permissions, but I don't think we
need
to> provide that outside of whatever acl support the underlying OS allows...
> Heck, you can't even do that to a UNIX user....
Actually, after talking with Gerald (who wants it to work
the way it did in 2.0.x), he's pointed out that it is actually
the "restrict acls with mask" parameter I added recently that
is the redundent parameter that should be removed.
If I set the security mask/dir security mask = 0777
and force security mode/force dir security mode = 0
and *always* apply these on ACL set, then we get exactly
the default behaviour we have now (no masks, user gets
exactly what they set in the ACL), but still provide
the capability for an admin to set masks on ACL sets
for user/group and world, without disturbing the create
masks.
Not that anyone actually uses these, as this was *completely*
broken in 2.2.0 :-) :-). But this is actually the more
generic solution (that 99.99999% of people will never need
to change :-).
Jeremy.
--
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------