samba - Sep 2003 - Question on "read only" behavior in smb.conf

Hi All,

I've built Samba v2.2.8a on a RedHat 7.2 system and it seems to work ok.
However
I cannot understand the "read only" parameter in the following
situation:

smb.conf file:
-------------------
[global]
   security=user
   encrypt passwords=yes
[foo]
   path=/tmp/foo
   read only=yes
   
The owner&mode of /tmp/foo is:
------------------------------------------
% ls -ld /tmp/foo
drwx-r-xr-x  3  joe  joe  1024  Sep  23  13:52  /tmp/foo

I've setup a smbpasswd file containing users "joe" and
"sue", both with
passwords.
I can connect to \\mymachine\foo as "joe" or "sue" ok from
my Windows 2000
PC.  
I connect it to drive K: and can see all the files in /tmp/foo.

However: 
-when connected via samba as "joe" I can successfully paste files into
/tmp/foo. (not expected)
-when connected via samba as "sue" I cannot paste files into /tmp/foo.
(expected)

It appears the UNIX file permissions are overriding the Samba configuration.
I thought Samba worked the other way around but without allowing more rights
than the UNIX permissions provide.
In other words, why does "joe" have write access to a samba service
defined
as "read only" in the samba configuration?

I also checked the "Properties/Security" of the share from my Windows
2000
PC and it says:
Allow	Joe	Full Control
Allow	Everyone	Read & Execute

If this is how it is supposed to work then life gets difficult in the
following circumstance:
If I have a directory I want to make mountable from Samba as read only,
I need to be careful and check all directory and file permissions to ensure
no one connecting
via Samba will have a UNIX write permission that overrides the Samba setting
of "read only".

Is this correct behavior for Samba?  Is there a way to make a service truely
read only no matter
who is connected and who ownes the files?  I also discovered that if sue's
group matches the group
ownership of /tmp/foo, then sue has write access IF /tmp/foo is group
writeable.

Thanks in advance.  Samba set up quickly and seems to work great, except for
this 
little bit of strangeness.  

-Jim

	----------------------------------------------------
	James E. Sullivan   |  Northrop Grumman IT 
	Building 12B        |  on site at: NIH/CIT/DCSS/SOSB
	Room 2N207          |  Phone:301-451-6372
	Bethesda, MD 20892  |  Email:sullivan@mail.nih.gov    
   -----------------------------------------------------

It should behave as you expect, a read only share is a read only share period no
matter what the UNIX permissions are.  At least thats been my experience with it
and what the man page seems to suggest.  I am very surprised at what you are
seeing.

Tom Schaefer
UNIX Administrator
University of Missouri Saint Louis


On Fri, 26 Sep 2003 17:59:13 -0400
"Sullivan, James (NIH/CIT)" <sullivan@mail.nih.gov> wrote:
> Hi All,
> 
> I've built Samba v2.2.8a on a RedHat 7.2 system and it seems to work
ok.
> However
> I cannot understand the "read only" parameter in the following
situation:
> 
> smb.conf file:
> -------------------
> [global]
>    security=user
>    encrypt passwords=yes
> [foo]
>    path=/tmp/foo
>    read only=yes
>    
> The owner&mode of /tmp/foo is:
> ------------------------------------------
> % ls -ld /tmp/foo
> drwx-r-xr-x  3  joe  joe  1024  Sep  23  13:52  /tmp/foo
> 
> I've setup a smbpasswd file containing users "joe" and
"sue", both with
> passwords.
> I can connect to \\mymachine\foo as "joe" or "sue" ok
from my Windows 2000
> PC.  
> I connect it to drive K: and can see all the files in /tmp/foo.
> 
> However: 
> -when connected via samba as "joe" I can successfully paste files
into
> /tmp/foo. (not expected)
> -when connected via samba as "sue" I cannot paste files into
/tmp/foo.
> (expected)
> 
> It appears the UNIX file permissions are overriding the Samba
configuration.
> I thought Samba worked the other way around but without allowing more
rights
> than the UNIX permissions provide.
> In other words, why does "joe" have write access to a samba
service defined
> as "read only" in the samba configuration?
> 
> I also checked the "Properties/Security" of the share from my
Windows 2000
> PC and it says:
> Allow	Joe	Full Control
> Allow	Everyone	Read & Execute
> 
> If this is how it is supposed to work then life gets difficult in the
> following circumstance:
> If I have a directory I want to make mountable from Samba as read only,
> I need to be careful and check all directory and file permissions to ensure
> no one connecting
> via Samba will have a UNIX write permission that overrides the Samba
setting
> of "read only".
> 
> Is this correct behavior for Samba?  Is there a way to make a service
truely
> read only no matter
> who is connected and who ownes the files?  I also discovered that if
sue's
> group matches the group
> ownership of /tmp/foo, then sue has write access IF /tmp/foo is group
> writeable.
> 
> Thanks in advance.  Samba set up quickly and seems to work great, except
for
> this 
> little bit of strangeness.  
> 
> -Jim
> 
> 	----------------------------------------------------
> 	James E. Sullivan   |  Northrop Grumman IT 
> 	Building 12B        |  on site at: NIH/CIT/DCSS/SOSB
> 	Room 2N207          |  Phone:301-451-6372
> 	Bethesda, MD 20892  |  Email:sullivan@mail.nih.gov    
>    -----------------------------------------------------
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>