alaanizar@iihem.ac.ma
2005-Jul-09 14:10 UTC
[Samba] A shared space between students and their teacher !!!
Hi all, Last week I implemented samba a sa file server and domain controller for more than 150 computers (Win 2000 and XP). Everything is working just fine. However, computer science faculty wanted a share for each course in which students can upload their homework once done and teacher download them for correction. Yet, students can have the right to write on that share but not delete the work of other students. I did a test and works fine but students' work are delete-able by other users given the below share configuration: ------------------------------------------------ #A share shared by faculty and students [Computer_Science] comment = Computer Courses path = /home/shares/computer_science public = no writable = yes write list = @cmp251a read only = no create mask = 0660 directory mask = 0770 force group = faculty ------------------------------------------------- I created folders inside the path, for example, cmp340, cmp251, cmp450. I gave right access to folders to the corresponding groups so that students can write on that folders, but once the file is stored on that folder, faculty members can access it and download. However, other users that belong to that group can access it also. What should I do? Please Help!!! regards, -- Alaa Nizar Network and System Administrator Phone : 0021269437087 Web site: http://www.iihem.ac.ma
Matthew Easton
2005-Jul-09 19:43 UTC
[Samba] A shared space between students and their teacher !!!
On Saturday 09 July 2005 06:56, alaanizar@iihem.ac.ma wrote:> Hi all, > > Last week I implemented samba a sa file server and domain controller for > more than 150 computers (Win 2000 and XP). Everything is working just fine. > > However, computer science faculty wanted a share for each course in which > students can upload their homework once done and teacher download them for > correction. Yet, students can have the right to write on that share but not > delete the work of other students.What you want is a drop box. A directory that has permisions such that students can write but not read. The instructor will have to move the file somewhere else for the student to get it back. Perhaps into the student's own dropbox. This will get you started, I don't consider it a complete solution as I''m dealing only with the unix permissions of the directory-- you'll want to investigate how it interacts with the samba share directives. In this scenario, Dr. Smith in addition to any faculty-only group he may be a member of, is also a member of the cs201 group. (cs201 is a group containing all students of the cs201 course) -- so he can read and write to the files he receives. You create a directory [cs201dropbox] and give ownership to Dr. Smith, and group ownership to cs201. [root@localhost home]# mkdir cs201dropbox [root@localhost home]# chown smith.cs201 cs201dropbox Change permissions on the directory to restrict access, notice that the group can write to and pass through the directory (x) but cannot read it: [root@localhost home]# chmod u=rwx,g=wx,o-rwx cs201dropbox We can set the sgid bit on the directory. This forces files written to the directory to be owned by the group of the enclosing directory. Because "cs201" may not be the primary group of the person writing to the directory. : [root@localhost home]# chmod g+s cs201 We set the sticky bit so only the owner of the directory can change the files. [root@localhost home]# chmod +t cs201dropbox So this is what it looks like now. Members of group cs201 can write but not read the directory. Smith can do anything he wants in the directory. If you aren't Dr. Smith or a member of cs201, you can't do anything. (well superuser is still superuser): [root@localhost home]# ls -ld cs201dropbox drwx-ws--T 5 smith cs201 4096 Jul 9 11:25 cs201dropbox If you blindly write to the directory and a file of the same name exists, you will be told you can't do it, so change the file name and you can write. I should point out that you can use the suid bit to force ownership instead of, or in addition to, the sgid bit. Now that you have the underlying permissions sorted out, you can address the samba side.
alaanizar@iihem.ac.ma
2005-Jul-15 16:13 UTC
[Samba] A shared space between students and their teacher !!!
Hi Robert, Thanks for responding. Well, I solved the problem for my situation with no need to other script. Here is what I did, and it really works just fine. 1. I created a share in smb.conf as below: ------------------------------------------------ #A share shared by faculty and students [Computer_Science] comment = Computer Courses path = /home/shares/computer_science public = no writable = yes write list = @computer_science read only = no create mask = 0660 directory mask = 0770 force group = faculty ------------------------------------------------- the group "computer_science" consists of the professor of the course and the students enrolled in that course. In fact it's their second group. The "faculty" group, as indicated by its name, consists of professors of Computer Science. 2. I craeted the directories as follows # mkdir /home/shares/computer_science # chown root.computer_science /home/shares/computer_science # chmod 1770 /home/shares/computer_science that's all. In that case students are able to write on that share and see the work of other users, but can not copy/paste or look at the other's work. they got access denied whenever they try to access a file in that folder which is not theirs. This is done by the sticky bit: chmod 1770, the "1". That's great. Which means that student A can not see, copy/paste, alter or even delete the work of student B. Given the tag "force group = faculty" in smb.conf, faculty members can read and delete the work of students in that group. Put all together, a file in that share will be shared ONLY between the auther (student) and the professor. For my case, in runs smootly and very fine. Hope my experience could help someone else.> HI Alaa > > I had an almost identical problem to this and solved it as follows:- > > Create a share that students can save work into > Create another share that staff can access > > Write a small helper script or program (I wrote one in C) that is invoked as a cron job onceevery minute to empty the files in the student accessible share and move them to the staff accessible> directory. The program also changed the owner to staff etc > > The program I wrote also changed the filename to include a > date/timestamp so that if a student submitted the same work twice staff could easily see thatthere were two (possibly different)> copies. > > Because the original files were removed from the student accessible share - no problems withstudents editing "completed" work> > Permissions were straightforward as well - read/write access for students to first share/directory > > Read/write access for staff only to second share/directory. > > I can send the C source if it helps but hopefully you will get the idea from this description. > > Cheers > > Richard Smart > > On 9 Jul 2005 at 13:56, alaanizar@iihem.ac.ma wrote: > > Hi all, > > Last week I implemented samba a sa file server and domain controller for more than 150 computers(Win 2000 and XP). Everything is working just fine.> > However, computer science faculty wanted a share for each course in which students can uploadtheir homework once done and teacher download them for correction. Yet, students can have the right to write on that share but not delete the work of other students.> > I did a test and works fine but students' work are delete-able by other users given the belowshare configuration:> > ------------------------------------------------ > #A share shared by faculty and students > [Computer_Science] > comment = Computer Courses > path = /home/shares/computer_science > public = no > writable = yes > write list = @cmp251a > read only = no > create mask = 0660 > directory mask = 0770 > force group = faculty > ------------------------------------------------- > > I created folders inside the path, for example, cmp340, cmp251, cmp450. > > I gave right access to folders to the corresponding groups so that students can write on thatfolders, but once the file is stored on that folder, faculty members can access it and download. However, other users that belong to that group can access it also.> > > What should I do? Please Help!!! > > > regards, > > > > > -- > Alaa Nizar > Network and System Administrator > Phone : 0021269437087 > Web site: http://www.iihem.ac.ma > -- > To unsubscribe from this list go to the following URL and read the instructions:https://lists.samba.org/mailman/listinfo/samba> > > -- > No virus found in this incoming message. > Checked by AVG Anti-Virus. > Version: 7.0.323 / Virus Database: 267.8.11/44 - Release Date: 7/8/2005 >-- Alaa Nizar Network and System Administrator Phone : 0021269437087 Web site: http://www.iihem.ac.ma