Esben Laursen
2003-Jun-20 21:51 UTC
[Samba] User can delete file when they have no read/write access
Im haveing a problem with my profiles share on my Samba 2.2.3 PDC server. I have a share like this: [profiles] path = /home/samba/profiles writeable = yes create mask = 0700 directory mask = 0700 browsable = no valid users = root,@smbusers The roaming profile works just fine with windows2k, and the users can't read the other profiles (they get a "access denied" if they try to access another profile then their own) thats great, BUT they can delete the other profiles. It aint only the profiles share but all files, and thats pretty much a problem here =) Here is a ls of the profiles directory: linux:/home/samba/profiles# ls -l total 12 drwx------ 14 emma emma 4096 Jun 19 22:18 emma drwx------ 19 esben esben 4096 Jun 17 20:00 esben drwx------ 14 root root 4096 May 17 21:13 root linux:/home/samba/profiles# So the user esben cant read the emma folder but he can delete it witch is pretty bad =) How can I fix this? Kind Regards Esben Ps. Here is my [global] section: [global] netbios name = linux2 server string = Samba %v on %L workgroup = domain add user script = /usr/sbin/useradd -d /dev/null -g nobody -s /bin/false -M %u os level = 65 prefered master = yes domain master = yes local master = yes domain logons = yes socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192 time server = yes hide dot files = yes security = user guest ok = no invalid users = bin deamon sys man mail ftp admin users = @root domain admin group = root,@admins encrypt passwords = yes log level = 2 log file = /var/log/samba/log.%L max log size = 1000 debug timestamp = yes syslog = 1 hosts allow = 192.168.1. 127. 62.79.110. ; user roaming profiles path logon path = \\%L\profiles\%u client codepage = 850 valid chars = ?:? ?:? ?:? logon script = logon.bat
Herb Lewis
2003-Jun-20 23:25 UTC
[Samba] User can delete file when they have no read/write access
The key for delete is the permissions of the parent directory not the file. If a user has write access to the directory he can delete files in that directory. Check out the chmod man page for references to the "sticky bit" for a directory. Here is a quote from the IRIX man page (Linux should be similar) If a directory is writable and the sticky bit, (t), is set on the directory, a process may remove or rename files within that directory only if one or more of the following is true (see unlink(2) and rename(2)): the effective user ID of the process is the same as that of the owner ID of the file the effective user ID of the process is the same as that of the owner ID of the directory the process is a superuser. Esben Laursen wrote:> > Im haveing a problem with my profiles share on my Samba 2.2.3 PDC server. > > I have a share like this: > > [profiles] > path = /home/samba/profiles > writeable = yes > create mask = 0700 > directory mask = 0700 > browsable = no > valid users = root,@smbusers > > The roaming profile works just fine with windows2k, and the users can't read the other profiles (they get a "access denied" if they try to access another profile then their own) thats great, BUT they can delete the other profiles. > It aint only the profiles share but all files, and thats pretty much a problem here =) > > Here is a ls of the profiles directory: > > linux:/home/samba/profiles# ls -l > total 12 > drwx------ 14 emma emma 4096 Jun 19 22:18 emma > drwx------ 19 esben esben 4096 Jun 17 20:00 esben > drwx------ 14 root root 4096 May 17 21:13 root > linux:/home/samba/profiles# > > So the user esben cant read the emma folder but he can delete it witch is pretty bad =) > > How can I fix this? > > Kind Regards > > Esben > > Ps. Here is my [global] section: > > [global] > netbios name = linux2 > server string = Samba %v on %L > workgroup = domain > > add user script = /usr/sbin/useradd -d /dev/null -g nobody -s /bin/false -M %u > > os level = 65 > prefered master = yes > domain master = yes > local master = yes > domain logons = yes > socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192 > time server = yes > hide dot files = yes > security = user > guest ok = no > invalid users = bin deamon sys man mail ftp > admin users = @root > domain admin group = root,@admins > encrypt passwords = yes > log level = 2 > log file = /var/log/samba/log.%L > max log size = 1000 > debug timestamp = yes > syslog = 1 > hosts allow = 192.168.1. 127. 62.79.110. > > ; user roaming profiles path > logon path = \\%L\profiles\%u > > client codepage = 850 > valid chars = ?:? ?:? ?:? > logon script = logon.bat > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba-- =====================================================================Herb Lewis Silicon Graphics Networking Engineer 1600 Amphitheatre Pkwy MS-510 Strategic Software Organization Mountain View, CA 94043-1351 herb@sgi.com Tel: 650-933-2177 http://www.sgi.com Fax: 650-932-2177 PGP Key: 0x8408D65D ======================================================================