samba - May 2006 - Write access doesn't grant delete access?!

Hi all,

I've got these permissions set on a folder:

$ getfacl htdocs

# file: htdocs
# owner: root
# group: users
user::rwx
group::rwx
group:DOMAIN\134htdocs_access:rwx
mask::rwx
other::r-x

The idea being that any users in the "htdocs_access" group in Active
Directory will have full access to this "htdocs" folder, without
interfering with the real owner/group of the folder (which the web
server uses.)

This seems to work fine, except that any files I create through Windows
Explorer I can't delete again (I can edit them and create more files,
but I can't delete anything.)  Viewing properties on the file indicates
that the DOMAIN\htdocs_access group doesn't have Delete permission (the
Delete checkbox is unticked) but the other permissions seem fine.

I didn't realise that Samba treated Delete access separately to Write
access - how do I grant Delete access on a folder?

Thanks,
Adam.

On Wed, May 03, 2006 at 03:35:11PM +1000, Adam Nielsen
wrote:
> Hi all,
> 
> I've got these permissions set on a folder:
> 
> $ getfacl htdocs
> 
> # file: htdocs
> # owner: root
> # group: users
> user::rwx
> group::rwx
> group:DOMAIN\134htdocs_access:rwx
> mask::rwx
> other::r-x
> 
> The idea being that any users in the "htdocs_access" group in
Active
> Directory will have full access to this "htdocs" folder, without
> interfering with the real owner/group of the folder (which the web
> server uses.)
> 
> This seems to work fine, except that any files I create through Windows
> Explorer I can't delete again (I can edit them and create more files,
> but I can't delete anything.)  Viewing properties on the file indicates
> that the DOMAIN\htdocs_access group doesn't have Delete permission (the
> Delete checkbox is unticked) but the other permissions seem fine.
> 
> I didn't realise that Samba treated Delete access separately to Write
> access - how do I grant Delete access on a folder?
It doesn't. Can you post a debug level 10 log of a delete request please?

Jeremy.

Jerry Westrick wrote:
>On Sunday 07 May 2006 23:24, Adam Nielsen wrote:
>  
>
>>Hi Jeremy,
>>
>>Sorry it has taken me so long to get back to you.
>>
>>    
>>
>>>>I didn't realise that Samba treated Delete access separately
to
>>>>Write access - how do I grant Delete access on a folder?
>>>>        
>>>>
>>>It doesn't. Can you post a debug level 10 log of a delete
request
>>>please?
>>>      
>>>
>>I'll send you the debug log off-list, but from the looks of it
there's
>>an issue with the ACLs.  Samba says I don't have enough access to
>>delete files, which I could understand, except for the fact that I can
>>*modify* the file I'm trying to delete.  I would've assumed in
this
>>case that I didn't have write or execute access to the directory,
>>but as far as I can tell, I do.
>>
>>Thanks,
>>Adam.
>>    
>>
>
>Yo, Adam...
>
>There is a special Linux security attribute which in effect says only
>owner can delete...  I forget the exact value,  but got bitten by it once.
>
>Check to see if that's your problem...
>
>Jerry
>  
>
try to apply chmod 0770 or whatever you want to remove all the special 
attributes.  Tell us how it goes.
hope this help!

RP


-- 
--------------------
Ra?l D. Pitt? Palma
Associate
Global Engineering and Technologies
mobile (507)-6616-0194
office (507)-264-2362
Republic of Panama
www.globaltecsa.com

> > I think that's the 'sticky' attribute (that is normally
used
> > for /tmp)
> Yep that is the one, but you need to check the sticky attribute on 
> the containing directory...  (or as accessing user try to delete the
> file directly in Linux).  
Yep, checked that - there are no sticky attributes anywhere in the whole
filesystem (the Samba share is on its own partition) and the only
'special' attribute I have used when creating the directory structure
is the SGID bit (if that's what chmod g+s is called) which means any
new files created are owned by the same group as the folder they're
created in (but even that attribute isn't used in the folder I'm having
trouble with.)  Apart from that though, there are no other unexpected
attributes.

I'm wondering whether there's a discrepancy in the Samba code that
causes the delete operation to check permissions in a slightly
different way to the write/modify code.  As far as I can tell, all the
filesystem permissions seem fine.

Cheers,
Adam.

is the file set "read-only" in windows properties view?

greez

Adam Nielsen wrote:
> Hi all,
> 
> I've got these permissions set on a folder:
> 
> $ getfacl htdocs
> 
> # file: htdocs
> # owner: root
> # group: users
> user::rwx
> group::rwx
> group:DOMAIN\134htdocs_access:rwx
> mask::rwx
> other::r-x
> 
> The idea being that any users in the "htdocs_access" group in
Active
> Directory will have full access to this "htdocs" folder, without
> interfering with the real owner/group of the folder (which the web
> server uses.)
> 
> This seems to work fine, except that any files I create through Windows
> Explorer I can't delete again (I can edit them and create more files,
> but I can't delete anything.)  Viewing properties on the file indicates
> that the DOMAIN\htdocs_access group doesn't have Delete permission (the
> Delete checkbox is unticked) but the other permissions seem fine.
> 
> I didn't realise that Samba treated Delete access separately to Write
> access - how do I grant Delete access on a folder?
> 
> Thanks,
> Adam.
-- 
Michael Gasch
Max Planck Institute for Evolutionary Anthropology
Department of Human Evolution (IT Staff)
Deutscher Platz 6
D-04103 Leipzig
Germany

Phone: 49 (0)341 - 3550 137
        49 (0)341 - 3550 374

Fax:   49 (0)341 - 3550 399