On Tuesday 08 March 2005 07:08 pm, Aaron P. Martinez wrote:
[...]> Most importantly i'm wondering if it can implement the create
dir/append
> to file permissions. My client wants users to be able to create files
> on the server but have only a few people who can actually delete the
> files. I thought about using the "force user" and umask
properties, but
> wondered if when using samba as a domain controller the file permissions
> would be the same as window's file permissions or if that is a function
> of ntfs and samba always uses the unix file permissions.
I'm trying to find this out myself on behalf of a Windows guy who is trying
to
do this for some reason. To be honest, I'm still not sure what good it does
- if you can WRITE to a file, you can effectively delete it. (Overwrite it
with a different file and rename it. Literally no different than deleting
the original file then writing a new one, if NTFS handles deletions the same
way that FATxx does (new file begins writing in the spot last vacated by the
most recently deleted file...). As far as I know, "append only"
isn't very
useful for most file - if I understand correctly (for example) when you load,
edit, and save a "Microsoft Word" file, it completely re-writes the
file, it
doesn't just add changes to the end. (The one possible use for append-only
that I can think of would be for plain-text log files...)
Nonetheless, somewhere along the way I got the impression that Samba would
store the windows permissions bits as extended attributes, just as it does
(or at least can) with DOS attributes. I'm not sure where I got this
impression, though, and even if it stores the attributes I don't know if it
enforces them.
Nobody's stepped up yet to say one way or another whether Samba handles
Windows file permissions or not in the last couple of days since the question
came up.
> Second thing that the client is requesting is for files on the server to
> not be able to be copied to a remote storage device (prevent theft).
> Lets say the user is at a workstation and her logon permits her to read
> a specific file on the samba server. She has a dvd burner or a usb
> external drive, he doesn't want her to be able to copy the file either
> directly to the device or to copy it to a local drive and then burn it.
> He does however want the user to be able to burn dvds of locally stored
> data, or from the user's samba $home directory. I suspect this
isn't
> very feasible as if you can read the data you should be able to copy it
> to your local machine and then put it wherever you want, but i figured
> i'd doublecheck.
Literally impossible, as far as I know - as you say, if you can read it, you
can copy it somewhere else. One alternative that would take some bureaucracy
to implement would be to take away all "end-user" portable media
(block off
the USB storage options, remove DVD-R's and CD-R's, etc.) and set up a
CENTRAL place, overseen by a trusted administrator, where users save files
that they want saved to portable media.
It'd be a huge hassle, but it WOULD at least give you controls over what
files
get exported to portable media - if the data is sensitive enough it might be
worth it.