I asked something similar a few weeks ago and this is the answer I got
Am 12.08.2013 20:15, schrieb Eduardo Sotomayor:
> I read at the samba4 wiki that to setup a samba4 share you need to
>
> Create a folder that you want to
share
>
> # mkdir -p /srv/samba/Demo/
>
> Add a new share to your smb.conf:
>
> [Demo]
> path = /srv/samba/Demo/
> read only = no
>
>
> but what about permission at os level? I mean do I have to chmod 770
> or chmod 2770 the folder or else?
> I read somewhere that it was necessary to chmod 777 but that configuration
is very unsecure at os level.
The ACLs on the share/filesystem are now fully manageable through
windows. The filesystem ACLs are stored in extended attributes (that's
why you need an filesystem supporting ext. ACLs).
What I understand from this answer is that no matter what the permissions are
at linux os level.
>No problem, glad its working :)
>Ricky
>On Thu, Aug 22, 2013 at 11:59 AM, Kevin Field <kev at brantaero.com>
wrote:
> Oh, I see. At first I read it as /home/me/srv. Gotcha. It works! Thanks
> very much Ricky! -K
>
>
> On 2013-08-22 12:49 PM, Ricky Nance wrote:
>
>> It looks at all of them, but the important thing is that its 0755 all
>> the way to the folder being used (if there is any XXX0 permissions on
>> the way to the folder it will cause things to fail, which is the case
>> with the 'me' part of /home/me/share as it has 0700
permissions).
>>
>>
>> On Thu, Aug 22, 2013 at 10:54 AM, Kevin Field <kev at brantaero.com
>> <mailto:kev at brantaero.com>> wrote:
>>
>> Oh, so it only looks at the immediate parent's permissions?
Not the
>> grandparent? I find that even more bewildering but a whole lot
>> easier to work with if that's the case :)
>>
>> Thanks,
>> Kev
>>
>>
>> On 2013-08-22 11:44 AM, Ricky Nance wrote:
>>
>> No, you can use /home/srv/share as long as srv (under home) is
755
>> permissions. Samba does run as root, but it also still obeys
the
>> rules
>> underlying file system.
>>
>> Ricky
>>
>>
>> On Thu, Aug 22, 2013 at 10:19 AM, Kevin Field <kev at
brantaero.com
>> <mailto:kev at brantaero.com>
>> <mailto:kev at brantaero.com <mailto:kev at
brantaero.com>>> wrote:
>>
>> I can understand that.
>>
>> However, I'm a bit confused about how this is supposed
to be
>> practical in the case of Samba. Samba runs as root, so it
>> can see
>> everything. I'm telling it to share a particular
folder.
>> Why should
>> it look at the ACLs of folders above that, when
there's no
>> way they
>> will be otherwise accessible via Samba?
>>
>> The reason I bother with this question is that /home and
>> /srv are on
>> two different partitions. I set it up so that the bulk of
>> space
>> would be available under /home. Okay, so it sounds like
>> links can
>> come to rescue here. I dig around and it seems that hard
>> links on
>> directories have not been allowed since the 70's.
Symbolic
>> links
>> could work, but if you enable the following of symbolic
>> links in
>> smb.conf, it can open up security holes. So to me it
seems
>> there's
>> no workaround for a design that doesn't make sense in
the
>> first
>> place (checking the ACLs of parent directories even if
>> you're root
>> and they're irrelevant to the application of sharing
the
>> given
>> directory.)
>>
>> Am I missing something?
>>
>> Thanks,
>> Kev
>>
>>
>> On 2013-08-20 11:22 AM, Ricky Nance wrote:
>>
>> Permissions are hard to explain (possibly because I
>> don't fully
>> understand them myself I guess), but if you have a
>> directory
>> (say /srv)
>> and you give it 0700 permissions, then only the person
>> that owns
>> that
>> directory is able to see anything under it, however if
>> you give
>> it 0755,
>> then ANYONE can see (the second 5 is R-X for everyone)
>> whats in
>> there,
>> now you have a directory under that, lets call it
>> share, (so
>> /srv/share)
>> and you give it permissions of 0777, then everyone can
>> read/write in the
>> share folder, but no one can write to the /srv folder
>> except the
>> owner.
>> So when you had a share under /home/user (which is
>> typically
>> /home is
>> 755, and the /home/user is 0700) then no one had
access
>> to the
>> underlying directories (even if the underlying
>> directory is 777,
>> because
>> the user simply can't get to that point)...
>>
>> If anyone disagree's or could explain this better
>> please feel
>> free to do
>> so, I am not opposed to learning new things :)
>>
>> Ricky
>>