There was another tech coordinator that asked the following on our list: > Hey all, I was wondering if anyone knew of a way to give students read/write permissions to a certain drive letter without giving them the ability to delete other (or thier own) files. Currently I have chmod 1770 permissions (read write, but only owner can delete) and one owner (the teacher) for all the files, but that will not allow the student to view thier own reports (??!) Any suggestions or help would be greatly appriciated. Can this actually be done? Make it to where the user that created the file cannot even delete it? It looks to me like you would have to deny write access to the user in the samba share, and if that is the case, then the file could not be written by the user, even if he/she is in the group that owns it. I played around with this quite a while, but could not see anything that would make it work. I was thinking of something like the following: DIR1 teacher.students 3770 Then in Samba [data] path = /DIR1 read only = no create mask = 460 force mask = 2460 directory mask = 770 force directory mode = 3770 But I don't think this works, because it is forcing read permissions on the user, so that would not let him/her write the file, correct? I assume that even though the user is in the group, which has permission, he is denied because his username does not have permissions. Thanks. -- Scott Mayo Technology Coordinator Bloomfield Schools PH: 573-568-5669 FA: 573-568-4565 Pager: 800-264-2535 X2549 Duct tape is like the force, it has a light side and a dark side and it holds the universe together.
Scott Mayo wrote:> There was another tech coordinator that asked the following on our list: > > > Hey all, I was wondering if anyone knew of a way to give students > read/write permissions to a certain drive letter without giving them the > ability to delete other (or thier own) files. Currently I have chmod > 1770 permissions (read write, but only owner can delete) and one owner > (the teacher) for all the files, but that will not allow the student to > view thier own reports (??!) Any suggestions or help would be greatly > appriciated. > > Can this actually be done? Make it to where the user that created the > file cannot even delete it? It looks to me like you would have to deny > write access to the user in the samba share, and if that is the case, > then the file could not be written by the user, even if he/she is in the > group that owns it. > > I played around with this quite a while, but could not see anything that > would make it work. > > I was thinking of something like the following: > > DIR1 teacher.students 3770 > > Then in Samba > > [data] > path = /DIR1 > read only = no > create mask = 460 > force mask = 2460 > directory mask = 770 > force directory mode = 3770 > > But I don't think this works, because it is forcing read permissions on > the user, so that would not let him/her write the file, correct? I > assume that even though the user is in the group, which has permission, > he is denied because his username does not have permissions. >Ought to be able to tinker with the recycle vfs module so instead of preventing deletions, one has an audit trail of deletions. Regards, Doug
Scott Mayo wrote:> There was another tech coordinator that asked the following on our list: > > > Hey all, I was wondering if anyone knew of a way to give students > read/write permissions to a certain drive letter without giving them the > ability to delete other (or thier own) files.If they had read/write access, but were not permitted to delete things (which should be possible with a fairly simple vfs module btw), how would that be any more useful than if they were permitted to delete things? What is the practical difference between "rm foo" and "cat /dev/null > foo" in this case? You end up with dead zero length files in the directory instead of deleted files? something like this (framework stolen from skel_transparent.c) would do it I think (did not even compile it so it may not work): #include "includes.h" static int skel_unlink(vfs_handle_struct *handle, connection_struct *conn, const char *path) { errno = EPERM; return -1; } static int skel_rmdir(vfs_handle_struct *handle, connection_struct *conn, const char *path) { errno = EPERM; return -1; } static vfs_op_tuple skel_op_tuples[] = { {SMB_VFS_OP(skel_rmdir), SMB_VFS_OP_RMDIR, SMB_VFS_LAYER_TRANSPARENT}, {SMB_VFS_OP(skel_unlink), SMB_VFS_OP_UNLINK, SMB_VFS_LAYER_TRANSPARENT}, {NULL, SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP} }; NTSTATUS init_module(void) { return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "no_delete", skel_op_tuples); } -- (German philosopher) Georg Wilhelm Hegel, on his deathbed, complained, "Only one man ever understood me." He fell silent for a while and then added, "And he didn't understand me."