Sullivan, James (NIH/CIT)
2003-Sep-26 21:59 UTC
[Samba] Question on "read only" behavior in smb.conf
Hi All, I've built Samba v2.2.8a on a RedHat 7.2 system and it seems to work ok. However I cannot understand the "read only" parameter in the following situation: smb.conf file: ------------------- [global] security=user encrypt passwords=yes [foo] path=/tmp/foo read only=yes The owner&mode of /tmp/foo is: ------------------------------------------ % ls -ld /tmp/foo drwx-r-xr-x 3 joe joe 1024 Sep 23 13:52 /tmp/foo I've setup a smbpasswd file containing users "joe" and "sue", both with passwords. I can connect to \\mymachine\foo as "joe" or "sue" ok from my Windows 2000 PC. I connect it to drive K: and can see all the files in /tmp/foo. However: -when connected via samba as "joe" I can successfully paste files into /tmp/foo. (not expected) -when connected via samba as "sue" I cannot paste files into /tmp/foo. (expected) It appears the UNIX file permissions are overriding the Samba configuration. I thought Samba worked the other way around but without allowing more rights than the UNIX permissions provide. In other words, why does "joe" have write access to a samba service defined as "read only" in the samba configuration? I also checked the "Properties/Security" of the share from my Windows 2000 PC and it says: Allow Joe Full Control Allow Everyone Read & Execute If this is how it is supposed to work then life gets difficult in the following circumstance: If I have a directory I want to make mountable from Samba as read only, I need to be careful and check all directory and file permissions to ensure no one connecting via Samba will have a UNIX write permission that overrides the Samba setting of "read only". Is this correct behavior for Samba? Is there a way to make a service truely read only no matter who is connected and who ownes the files? I also discovered that if sue's group matches the group ownership of /tmp/foo, then sue has write access IF /tmp/foo is group writeable. Thanks in advance. Samba set up quickly and seems to work great, except for this little bit of strangeness. -Jim ---------------------------------------------------- James E. Sullivan | Northrop Grumman IT Building 12B | on site at: NIH/CIT/DCSS/SOSB Room 2N207 | Phone:301-451-6372 Bethesda, MD 20892 | Email:sullivan@mail.nih.gov -----------------------------------------------------
It should behave as you expect, a read only share is a read only share period no matter what the UNIX permissions are. At least thats been my experience with it and what the man page seems to suggest. I am very surprised at what you are seeing. Tom Schaefer UNIX Administrator University of Missouri Saint Louis On Fri, 26 Sep 2003 17:59:13 -0400 "Sullivan, James (NIH/CIT)" <sullivan@mail.nih.gov> wrote:> Hi All, > > I've built Samba v2.2.8a on a RedHat 7.2 system and it seems to work ok. > However > I cannot understand the "read only" parameter in the following situation: > > smb.conf file: > ------------------- > [global] > security=user > encrypt passwords=yes > [foo] > path=/tmp/foo > read only=yes > > The owner&mode of /tmp/foo is: > ------------------------------------------ > % ls -ld /tmp/foo > drwx-r-xr-x 3 joe joe 1024 Sep 23 13:52 /tmp/foo > > I've setup a smbpasswd file containing users "joe" and "sue", both with > passwords. > I can connect to \\mymachine\foo as "joe" or "sue" ok from my Windows 2000 > PC. > I connect it to drive K: and can see all the files in /tmp/foo. > > However: > -when connected via samba as "joe" I can successfully paste files into > /tmp/foo. (not expected) > -when connected via samba as "sue" I cannot paste files into /tmp/foo. > (expected) > > It appears the UNIX file permissions are overriding the Samba configuration. > I thought Samba worked the other way around but without allowing more rights > than the UNIX permissions provide. > In other words, why does "joe" have write access to a samba service defined > as "read only" in the samba configuration? > > I also checked the "Properties/Security" of the share from my Windows 2000 > PC and it says: > Allow Joe Full Control > Allow Everyone Read & Execute > > If this is how it is supposed to work then life gets difficult in the > following circumstance: > If I have a directory I want to make mountable from Samba as read only, > I need to be careful and check all directory and file permissions to ensure > no one connecting > via Samba will have a UNIX write permission that overrides the Samba setting > of "read only". > > Is this correct behavior for Samba? Is there a way to make a service truely > read only no matter > who is connected and who ownes the files? I also discovered that if sue's > group matches the group > ownership of /tmp/foo, then sue has write access IF /tmp/foo is group > writeable. > > Thanks in advance. Samba set up quickly and seems to work great, except for > this > little bit of strangeness. > > -Jim > > ---------------------------------------------------- > James E. Sullivan | Northrop Grumman IT > Building 12B | on site at: NIH/CIT/DCSS/SOSB > Room 2N207 | Phone:301-451-6372 > Bethesda, MD 20892 | Email:sullivan@mail.nih.gov > ----------------------------------------------------- > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >