I have an [apps] share that was intended to be read-only (to keep viruses away) however some Windows programs require rw access to specific files. I don't want to open-up everything on the share to rw, only those specific files/directories that need 'w' access. Here's the dilemma: In order for users to be able to change a file, the file and directory it's in need to have rw permissions (right?). But if the directory has rw permissions for the user's group, members can delete everything in the directory-- regardless of whether the file is read-only for the their group or not. Additionally, the "delete readonly = no" option (which is the default) doesn't apparently work. Another effect is that while viruses can't change/infect files in the [apps] share, they can simply DELETE all the 755-permission files they see. Ugh. How do I set this up correctly? /home/samba/apps directory: drwxrwxr-x 7 root smbusers 4096 Dec 7 15:08 apps [apps] comment = Applications path = /home/samba/apps force group = smbusers browsable = yes guest ok = no read only = yes delete readonly = no write list = @smbadmin,@smbusers valid users = @smbusers,@smbadmin admin users = @smbadmin The @smbusers were added to the write list. Originally it was only @smbadmin. The directory & file permissions are: directory-- 755 files-- 744 (root:smbusers)
On Sat, Dec 07, 2002 at 04:15:02PM -0500, root wrote:> Here's the dilemma: In order for users to be able to change a file, the > file and directory it's in need to have rw permissions (right?). But ifIf the UNIX filesystem permissions are set so that the file is writable but the directory is not a user can still modify the file, but can not delete or create ANY files in that directory (including ones they own). -- Michael Heironimus
root wrote: [ .. ]> drwxrwxr-x 7 root smbusers 4096 Dec 7 15:08 apps > > [apps] > comment = Applications > path = /home/samba/apps > force group = smbusers > browsable = yes > guest ok = no > read only = yes > delete readonly = no > write list = @smbadmin,@smbusers > valid users = @smbusers,@smbadmin > admin users = @smbadmin > > The @smbusers were added to the write list. Originally it was only > @smbadmin. > > The directory & file permissions are: > directory-- 755 > files-- 744 (root:smbusers)My quick answer is to make the directory sticky: chmod +t /home/samba/apps this prevents non-owners from deleting files, even if they have directory write permission. (this is a unix thing, not a samba thing) A further comment though, if you allow smbusers to write via unix permissions, you do not have to add that to the smb.conf 'write list' as well. Matt
Possibly Parallel Threads
- Cannot browse domain user list with 3.3.9
- smbpasswd and RID/SID problems with LDAP
- open_directory: unable to create *. Error was NT_STATUS_OBJECT_NAME_COLLISION
- net groupmap modify ntgroup="Domain Admins" ... succeeds but fails
- valid users fails with net groupmap rid=512