Jeremy Allison
2021-Feb-11 20:22 UTC
[Samba] Is “obey pam restrictions” still supposed to work in Samba 4?
On Thu, Feb 11, 2021 at 05:30:37PM +0100, Chentao Credungtao wrote:>Hi Andrew > >Thanks again for you help > >FYI, I think I found a solution to achieve my goal and prevent some >users from storing files over a given size on a Samba server. I did >some tests, it seems to work. I'm wondering if you see any potential >negative side effects. > >Let's say I have shared /srv/test on my Samba file server. Basically, >all I did was : > >1?/ # apt-get install bindfs > >2?/ Put the following instructions in a start script (for example >/etc/rc.local on my Debian) : >(ulimit -S -f 102400; ulimit -H -f 102400; trap '' XFSZ; bindfs >/srv/test/ /srv/test/) > >Basically this opens a subshell, sets a 100MB limit for the subshell, >traps the XFSZ signal, and mounts a FUSE file system from /srv/test to >itself (with the 100MB limit still valid). > >It works even better through Windows/Samba than directly from the >shell. From the shell, a copy command of a file over 100MB creates a >100MB truncated file. But from Windows through Samba, the file isn't >created at all, which is what I want. > >Windows' error message doesn't reflect the 100MB limitation (it says >not enough space), but apart of that it seems to do the job. > >--- > >I can even prevent some users from storing big files, while allowing >others. For that, I don't share /srv/test/, but I share >/srv/test-restricted/ and /srv/test-unrestricted. Then I mount both >shared folders on /srv/test, one with limitations, once without >limitations : > >(ulimit -S -f 102400; ulimit -H -f 102400; trap '' XFSZ; bindfs >/srv/test/ /srv/test-restricted/) >bindfs /srv/test/ /srv/test-unrestricted/ > >Easy ! > >--- > >Can you see any potential side effects ? Any reason NOT to use this >solution ?No, this looks like a great solution ! I'm eventually thinking bindfs can be used to allow us to remove the horrible "widelinks = yes" parameter, as it can do everything that nasty parameter can do, but in a more controlled mannor.