samba - Oct 2024 - Optimal File Permissions for Shared Access Between Windows and Linux

On Tue, 15 Oct 2024 21:58:40 +0200
Jonathan Szalavecz via samba <samba at lists.samba.org> wrote:
> I am experiencing challenges configuring optimal file permissions for
> a Samba share on my Raspberry Pi. My goal is to enable shared access
> for my wife, who uses an iPhone 13, to the directory 
> |/mnt/shared/partage_de_fichiers| while preventing access to the main 
> directory |/mnt/shared|.
> 
> Here is my Samba configuration:
No it isn't, there is a whole upper 'global' section missing that
will
tell us how you are running Samba
> 
> 
> ```[NAS]
>  ?? comment = RaspberryPi
>  ?? public = no
>  ?? writable = yes
>  ?? browsable = yes
>  ?? path = /mnt/shared
>  ?? create mask = 0600
>  ?? directory mask = 0700
>  ?? read only = no
>  ?? guest ok = no
> 
> [DatabaseShare]
>  ?? comment = Database File Share
>  ?? path = /mnt/shared/partage_de_fichiers
>  ?? public = no
>  ?? writable = yes
>  ?? browsable = yes
>  ?? read only = no
>  ?? guest ok = no
>  ?? create mask = 0660
>  ?? directory mask = 0770
>  ?? force group = sharedaccess
>  ?? force create mode = 0660
>  ?? min protocol = SMB2
>  ?? ea support = yes
>  ?? vfs objects = catia fruit streams_xattr
>  ?? fruit:delete_empty_adfiles = yes
>  ?? fruit:metadata = stream
>  ?? fruit:model = MacSamba
>  ?? fruit:nfs_aces = no
>  ?? fruit:posix_rename = yes
>  ?? fruit:veto_appledouble = no
>  ?? fruit:wipe_intentionally_left_blank_rfork = yes
> 
> ```
Quite a lot of those parameters are set to the defaults and others
should be in 'global'.
> 
> 
> Despite these settings, files copied from Windows are created with 
> permissions |rw-------|, which restricts access to only the file
> owner. I have a |umask| set to |0002| in my shell, but I am
> struggling to find the right settings to achieve optimal
> compatibility between Windows, Linux, and Samba.
> 
> For comparison, here are the permission settings for two directories:
> 
>   *
> 
>     |/mnt/shared/Office 2013|:|drwx------ 2 john_johnk john_johnk
> 4096 Apr 8 2022|
> 
>   *
> 
>     |/mnt/shared/partage_de_fichiers|:|drwxrws--- 4 john_johnk
> sharedaccess 4096 Oct 15 18:56|
What are the permissions set on /mnt/shared ?
Also, why is the share there, is it mounted from somewhere else ?
If so, where and what is the filesystem.

Rowland

Hi Rowland,

Thank you for your feedback. I apologize for not including the global 
section in my previous message. Here it is:

[global]
 ?? min protocol = SMB3
 ?? workgroup = WORKGROUP


As you can see, there isn?t much in the global section.

To answer your question about the permissions on |/mnt/shared|, here are 
the settings:

drwxrwxr-x 30 john_johnk sharedaccess 4096 Oct 15 23:42 shared


The directory is mounted from an external disk (|/dev/sdb1|), and it is 
not part of the local filesystem

john_johnk at raspberrypi:~ $ lsblk
NAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda           8:0    0  1.8T  0 disk
??sda1        8:1    0  1.4T  0 part /mnt/mirror
??sda2        8:2    0  466G  0 part /mnt/restic
sdb           8:16   0  1.8T  0 disk
??sdb1        8:17   0  1.8T  0 part /mnt/shared
mmcblk0     179:0    0 59.7G  0 disk
??mmcblk0p1 179:1    0  256M  0 part /boot
??mmcblk0p2 179:2    0 59.4G  0 part /

I also wanted to mention that I'm not familiar with the Apple environment,
so I'm unsure if the following settings are necessary for my wife to read
and write in|/mnt/shared/partage_de_fichiers|:

easupport =yes
vfsobjects = catia fruit streams_xattr
fruit:delete_empty_adfiles =yes
fruit:metadata = stream
fruit:model = MacSamba
fruit:nfs_aces =no
fruit:posix_rename =yes
fruit:veto_appledouble =no
fruit:wipe_intentionally_left_blank_rfork =yes

I appreciate your help in resolving this issue!

Best regards,

Jonathan


Le 10/16/2024 ? 12:51 PM, Rowland Penny via samba a
?crit?:
> On Tue, 15 Oct 2024 21:58:40 +0200
> Jonathan Szalavecz via samba<samba at lists.samba.org> wrote:
>
>> I am experiencing challenges configuring optimal file permissions for
>> a Samba share on my Raspberry Pi. My goal is to enable shared access
>> for my wife, who uses an iPhone 13, to the directory
>> |/mnt/shared/partage_de_fichiers| while preventing access to the main
>> directory |/mnt/shared|.
>>
>> Here is my Samba configuration:
> No it isn't, there is a whole upper 'global' section missing
that will
> tell us how you are running Samba
>
>>
>> ```[NAS]
>>   ?? comment = RaspberryPi
>>   ?? public = no
>>   ?? writable = yes
>>   ?? browsable = yes
>>   ?? path = /mnt/shared
>>   ?? create mask = 0600
>>   ?? directory mask = 0700
>>   ?? read only = no
>>   ?? guest ok = no
>>
>> [DatabaseShare]
>>   ?? comment = Database File Share
>>   ?? path = /mnt/shared/partage_de_fichiers
>>   ?? public = no
>>   ?? writable = yes
>>   ?? browsable = yes
>>   ?? read only = no
>>   ?? guest ok = no
>>   ?? create mask = 0660
>>   ?? directory mask = 0770
>>   ?? force group = sharedaccess
>>   ?? force create mode = 0660
>>   ?? min protocol = SMB2
>>   ?? ea support = yes
>>   ?? vfs objects = catia fruit streams_xattr
>>   ?? fruit:delete_empty_adfiles = yes
>>   ?? fruit:metadata = stream
>>   ?? fruit:model = MacSamba
>>   ?? fruit:nfs_aces = no
>>   ?? fruit:posix_rename = yes
>>   ?? fruit:veto_appledouble = no
>>   ?? fruit:wipe_intentionally_left_blank_rfork = yes
>>
>> ```
> Quite a lot of those parameters are set to the defaults and others
> should be in 'global'.
>
>>
>> Despite these settings, files copied from Windows are created with
>> permissions |rw-------|, which restricts access to only the file
>> owner. I have a |umask| set to |0002| in my shell, but I am
>> struggling to find the right settings to achieve optimal
>> compatibility between Windows, Linux, and Samba.
>>
>> For comparison, here are the permission settings for two directories:
>>
>>    *
>>
>>      |/mnt/shared/Office 2013|:|drwx------ 2 john_johnk john_johnk
>> 4096 Apr 8 2022|
>>
>>    *
>>
>>      |/mnt/shared/partage_de_fichiers|:|drwxrws--- 4 john_johnk
>> sharedaccess 4096 Oct 15 18:56|
> What are the permissions set on /mnt/shared ?
> Also, why is the share there, is it mounted from somewhere else ?
> If so, where and what is the filesystem.
>
> Rowland
>
>