Firstly, hello! :)
I've been trying to setup a share with permissions to allow users within
the web group to be able to put files up, have full access to their own
files but read only access to other users files, I've got what I think
should work, but it's not (hence this post).
The relevant section of the config is as follows
[Common]
comment = Common Area
writable = yes
browseable = yes
path = /Store/Shares/common
vfs objects = recycle
create mask = 0740
directory mask = 0740
valid users = @web
force user = %U
force group = web
recycle:keeptree = Yes
recycle:repository = TheBin
recycle:noversions = *.doc|*.xls|*.ppt
recycle:excludedir = /tmp|/temp|/cache
recycle:exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.~??
recycle:maxsize = 0
recycle:versions = Yes
recycle:touch = Yes
Within the web group there are users stuart and mike, i've been mounting
common in two places (/mnt/tmp and /mnt/tmp2) under different users,
when I create a file as stuart(bob.txt in tmp2) it gets created on the
server with 0740 permissions and correct ownership however if I try and
delete the file as mike (from tmp) it allows this even though mike
should have only read permissions.
Am I missing something here (possibly something painfully obvious as
tends to be the way of things!)
This is all running on a gentoo box ( kernel 2.6.23-gentoo-r9 ) with
samba 3.0.33 and a freebsd 7.0 client (using mount_smbfs)
-------------------------------
Mike Woods
Systems Administrator
On Wed, Apr 1, 2009 at 11:06 AM, Mike Woods <mike@equate-it.com> wrote:> Firstly, hello! :) > > I've been trying to setup a share with permissions to allow users within the > web group to be able to put files up, have full access to their own files > but read only access to other users files, I've got what I think should > work, but it's not (hence this post). > > The relevant section of the config is as follows > > [Common] > ? comment = Common Area > ? writable = yes > ? browseable = yes > ? path = /Store/Shares/common > ? vfs objects = recycle > ? create mask = 0740 > ? directory mask = 0740 > ? valid users = @web > ? force user = %U > ? force group = web > ? recycle:keeptree = Yes > ? recycle:repository = TheBin > ? recycle:noversions = *.doc|*.xls|*.ppt > ? recycle:excludedir = /tmp|/temp|/cache > ? recycle:exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.~?? > ? recycle:maxsize = 0 > ? recycle:versions = Yes > ? recycle:touch = Yes > > > Within the web group there are users stuart and mike, i've been mounting > common in two places (/mnt/tmp and /mnt/tmp2) under different users, when I > create a file as stuart(bob.txt in tmp2) it gets created on the server with > 0740 permissions and correct ownership however if I try and delete the file > as mike (from tmp) it allows this even though mike should have only read > permissions. >delete is not a write operation on the file but the folder.> Am I missing something here (possibly something painfully obvious as tends > to be the way of things!) > > This is all running on a gentoo box ( kernel 2.6.23-gentoo-r9 ) with samba > 3.0.33 and a freebsd 7.0 client (using mount_smbfs) > > ------------------------------- > Mike Woods > Systems Administrator > -- > To unsubscribe from this list go to the following URL and read the > instructions: ?https://lists.samba.org/mailman/options/samba >-- John M. Drescher
On Wed, Apr 1, 2009 at 12:30 PM, Mike Woods <mike@equate-it.com> wrote:> >> delete is not a write operation on the file but the folder. > > Bugger, that *is* painfully obvious! > > Time for a rethink methinks. >I think there are several ways to deal with this. However I have not done so. I believe 3.3 fully supports windows ACLs now. Search the recent list archives. There is a vfs module for that. And in gentoo you can get samba-3.3.X in my overlay: http://github.com/drescherjm/jmdgentoooverlay/tree/master I plan to update to 3.3 later today since I am at work and did not get it in this morning... John
Am Wednesday 01 April 2009 17:06:01 schrieb Mike Woods:> Firstly, hello! :) > > I've been trying to setup a share with permissions to allow users within > the web group to be able to put files up, have full access to their own > files but read only access to other users files, I've got what I think > should work, but it's not (hence this post). >.....> Within the web group there are users stuart and mike, i've been mounting > common in two places (/mnt/tmp and /mnt/tmp2) under different users, > when I create a file as stuart(bob.txt in tmp2) it gets created on the > server with 0740 permissions and correct ownership however if I try and > delete the file as mike (from tmp) it allows this even though mike > should have only read permissions. > > Am I missing something here (possibly something painfully obvious as > tends to be the way of things!) >Mike may be the owner of the directory and, as such, has permissions to delete files therein. You will want to change ownership of the directory.
> delete is not a write operation on the file but the folder.Bugger, that *is* painfully obvious! Time for a rethink methinks. Ta muchly! --------------------- Mike Woods Systems Administrator
John Drescher wrote:> I think there are several ways to deal with this. However I have not > done so. I believe 3.3 fully supports windows ACLs now. Search the > recent list archives. There is a vfs module for that.After a good nights sleep (well... sleep) it occured to me that there was a painfully obvious answer to this, the sticky bit! Changed the permissions to 1777 so anyone can put a file in there but only the owner can delete it :) --------------------- Mike Woods Systems Administrator