samba - Jul 2005 - A shared space between students and their teacher !!!

Hi all,

Last week I implemented samba a sa file server and domain controller for more
than 150 computers
(Win 2000 and XP). Everything is working just fine.

However, computer science faculty wanted a share for each course in which
students can upload
their homework once done and teacher download them for correction. Yet, students
can have the
right to write on that share but not delete the work of other students.

I did a test and works fine but students' work are delete-able by other
users given the below
share configuration:

------------------------------------------------
#A share shared by faculty and students
[Computer_Science]
   comment = Computer Courses
   path = /home/shares/computer_science
   public = no
   writable = yes
   write list = @cmp251a
   read only = no
   create mask = 0660
   directory mask = 0770
   force group = faculty
-------------------------------------------------

I created folders inside the path, for example, cmp340, cmp251, cmp450.

I gave right access to folders to the corresponding groups so that students can
write on that
folders, but once the file is stored on that folder, faculty members can access
it and download.
However, other users that belong to that group can access it also.


What should I do? Please Help!!!


regards,




-- 
Alaa Nizar
Network and System Administrator
Phone   : 0021269437087
Web site: http://www.iihem.ac.ma

On Saturday 09 July 2005 06:56, alaanizar@iihem.ac.ma
wrote:
> Hi all,
>
> Last week I implemented samba a sa file server and domain controller for
> more than 150 computers (Win 2000 and XP). Everything is working just fine.
>
> However, computer science faculty wanted a share for each course in which
> students can upload their homework once done and teacher download them for
> correction. Yet, students can have the right to write on that share but not
> delete the work of other students.
What you want is a drop box.  A directory that has permisions such that 
students can write but not read.  The instructor will have to move the file 
somewhere else for the student to get it back.  Perhaps into the student's 
own dropbox.  

This will get you started, I don't consider it a complete solution as
I''m
dealing only with the unix permissions of the directory-- you'll want to 
investigate how it interacts with the samba share directives.

In this scenario, Dr. Smith in addition to any faculty-only group he may be a 
member of, is also a member of the cs201 group.  (cs201 is a group containing 
all students of the cs201 course) -- so he can read and write to the files he 
receives.

	You create a directory [cs201dropbox] and give ownership to Dr. Smith, and 	
	group ownership to cs201.  

[root@localhost home]# mkdir cs201dropbox
[root@localhost home]# chown smith.cs201 cs201dropbox

	Change permissions on the directory to restrict access, notice that the group 
	can write to and pass through the directory (x) but cannot read it:

[root@localhost home]# chmod u=rwx,g=wx,o-rwx cs201dropbox

	We can set the sgid bit on the directory.  This forces files written to 
	the directory to be owned by the group of the enclosing directory.  
	Because "cs201" may not be the primary group of 
	the person writing to the directory. :

[root@localhost home]# chmod g+s cs201

	We set the sticky bit so only the owner of the directory can 
	change the files.

[root@localhost home]# chmod +t cs201dropbox

	So this is what it looks like now.  Members of group cs201 can write 
	but not read the directory.  Smith can do anything he wants in the 
	directory.  If you aren't Dr. Smith or a member of cs201, you can't 
	do anything.  (well superuser is still superuser):

[root@localhost home]# ls -ld cs201dropbox
drwx-ws--T    5 smith  cs201        4096 Jul  9 11:25 cs201dropbox

	If you blindly write to the directory and a file of the same name 
	exists, you will be told you can't do it, so change the file name and 
	you can write.

I should point out that you can use the suid bit to force ownership instead 
of, or in addition to, the sgid bit. 

Now that you have the underlying permissions sorted out, you can address the 
samba side.

Hi Robert,

Thanks for responding.

Well, I solved the problem for my situation with no need to other script.

Here is what I did, and it really works just fine.

1.  I created a share in smb.conf as below:

------------------------------------------------
#A share shared by faculty and students
[Computer_Science]
   comment = Computer Courses
   path = /home/shares/computer_science
   public = no
   writable = yes
   write list = @computer_science
   read only = no
   create mask = 0660
   directory mask = 0770
   force group = faculty
-------------------------------------------------

the group "computer_science" consists of the professor of the course
and the students enrolled in
that course. In fact it's their second group.

The "faculty" group, as indicated by its name, consists of professors
of Computer Science.

2.  I craeted the directories as follows

# mkdir /home/shares/computer_science
# chown root.computer_science /home/shares/computer_science
# chmod 1770 /home/shares/computer_science

that's all.

In that case students are able to write on that share and see the work of other
users, but can not
copy/paste or look at the other's work. they got access denied whenever they
try to access a file
in that folder which is not theirs. This is done by the sticky bit: chmod 1770,
the "1". That's
great. Which means that student A can not see, copy/paste, alter or even delete
the work of
student B.

Given the tag "force group = faculty" in smb.conf, faculty members can
read and delete the work of
students in that group.

Put all together, a file in that share will be shared ONLY between the auther
(student) and the
professor.

For my case, in runs smootly and very fine.

Hope my experience could help someone else.

> HI Alaa
>
> I had an almost identical problem to this and solved it as follows:-
>
> Create a share that students can save work into
> Create another share that staff can access
>
> Write a small helper script or program (I wrote one in C) that is invoked
as a cron job once
every minute to empty the files in the student accessible share and move them to
the staff
accessible
> directory. The program also changed the owner to staff etc
>
> The program I wrote also changed the filename to include a
> date/timestamp so that if a student submitted the same work twice staff
could easily see that
there were two (possibly different)
> copies.
>
> Because the original files were removed from the student accessible share -
no problems with
students editing "completed" work
>
> Permissions were straightforward as well - read/write access for students
to first share/directory
>
> Read/write access for staff only to second share/directory.
>
> I can send the C source if it helps but hopefully you will get the idea
from this description.
>
> Cheers
>
> Richard Smart
>
> On 9 Jul 2005 at 13:56, alaanizar@iihem.ac.ma wrote:
>
> Hi all,
>
> Last week I implemented samba a sa file server and domain controller for
more than 150 computers
(Win 2000 and XP). Everything is working just fine.
>
> However, computer science faculty wanted a share for each course in which
students can upload
their homework once done and teacher download them for correction. Yet, students
can have the
right to write on that share but not delete the work of other
students.
>
> I did a test and works fine but students' work are delete-able by other
users given the below
share configuration:
>
> ------------------------------------------------
> #A share shared by faculty and students
> [Computer_Science]
>    comment = Computer Courses
>    path = /home/shares/computer_science
>    public = no
>    writable = yes
>    write list = @cmp251a
>    read only = no
>    create mask = 0660
>    directory mask = 0770
>    force group = faculty
> -------------------------------------------------
>
> I created folders inside the path, for example, cmp340, cmp251, cmp450.
>
> I gave right access to folders to the corresponding groups so that students
can write on that
folders, but once the file is stored on that folder, faculty members can access
it and download.
However, other users that belong to that group can access it
also.
>
>
> What should I do? Please Help!!!
>
>
> regards,
>
>
>
>
> --
> Alaa Nizar
> Network and System Administrator
> Phone   : 0021269437087
> Web site: http://www.iihem.ac.ma
> --
> To unsubscribe from this list go to the following URL and read the
instructions:
https://lists.samba.org/mailman/listinfo/samba
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.323 / Virus Database: 267.8.11/44 - Release Date: 7/8/2005
>

-- 
Alaa Nizar
Network and System Administrator
Phone   : 0021269437087
Web site: http://www.iihem.ac.ma