samba - Oct 2024 - Optimal File Permissions for Shared Access Between Windows and Linux

Hi Rowland,

Thank you for your feedback. I apologize for not including the global 
section in my previous message. Here it is:

[global]
 ?? min protocol = SMB3
 ?? workgroup = WORKGROUP


As you can see, there isn?t much in the global section.

To answer your question about the permissions on |/mnt/shared|, here are 
the settings:

drwxrwxr-x 30 john_johnk sharedaccess 4096 Oct 15 23:42 shared


The directory is mounted from an external disk (|/dev/sdb1|), and it is 
not part of the local filesystem

john_johnk at raspberrypi:~ $ lsblk
NAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda           8:0    0  1.8T  0 disk
??sda1        8:1    0  1.4T  0 part /mnt/mirror
??sda2        8:2    0  466G  0 part /mnt/restic
sdb           8:16   0  1.8T  0 disk
??sdb1        8:17   0  1.8T  0 part /mnt/shared
mmcblk0     179:0    0 59.7G  0 disk
??mmcblk0p1 179:1    0  256M  0 part /boot
??mmcblk0p2 179:2    0 59.4G  0 part /

I also wanted to mention that I'm not familiar with the Apple environment,
so I'm unsure if the following settings are necessary for my wife to read
and write in|/mnt/shared/partage_de_fichiers|:

easupport =yes
vfsobjects = catia fruit streams_xattr
fruit:delete_empty_adfiles =yes
fruit:metadata = stream
fruit:model = MacSamba
fruit:nfs_aces =no
fruit:posix_rename =yes
fruit:veto_appledouble =no
fruit:wipe_intentionally_left_blank_rfork =yes

I appreciate your help in resolving this issue!

Best regards,

Jonathan


Le 10/16/2024 ? 12:51 PM, Rowland Penny via samba a
?crit?:
> On Tue, 15 Oct 2024 21:58:40 +0200
> Jonathan Szalavecz via samba<samba at lists.samba.org> wrote:
>
>> I am experiencing challenges configuring optimal file permissions for
>> a Samba share on my Raspberry Pi. My goal is to enable shared access
>> for my wife, who uses an iPhone 13, to the directory
>> |/mnt/shared/partage_de_fichiers| while preventing access to the main
>> directory |/mnt/shared|.
>>
>> Here is my Samba configuration:
> No it isn't, there is a whole upper 'global' section missing
that will
> tell us how you are running Samba
>
>>
>> ```[NAS]
>>   ?? comment = RaspberryPi
>>   ?? public = no
>>   ?? writable = yes
>>   ?? browsable = yes
>>   ?? path = /mnt/shared
>>   ?? create mask = 0600
>>   ?? directory mask = 0700
>>   ?? read only = no
>>   ?? guest ok = no
>>
>> [DatabaseShare]
>>   ?? comment = Database File Share
>>   ?? path = /mnt/shared/partage_de_fichiers
>>   ?? public = no
>>   ?? writable = yes
>>   ?? browsable = yes
>>   ?? read only = no
>>   ?? guest ok = no
>>   ?? create mask = 0660
>>   ?? directory mask = 0770
>>   ?? force group = sharedaccess
>>   ?? force create mode = 0660
>>   ?? min protocol = SMB2
>>   ?? ea support = yes
>>   ?? vfs objects = catia fruit streams_xattr
>>   ?? fruit:delete_empty_adfiles = yes
>>   ?? fruit:metadata = stream
>>   ?? fruit:model = MacSamba
>>   ?? fruit:nfs_aces = no
>>   ?? fruit:posix_rename = yes
>>   ?? fruit:veto_appledouble = no
>>   ?? fruit:wipe_intentionally_left_blank_rfork = yes
>>
>> ```
> Quite a lot of those parameters are set to the defaults and others
> should be in 'global'.
>
>>
>> Despite these settings, files copied from Windows are created with
>> permissions |rw-------|, which restricts access to only the file
>> owner. I have a |umask| set to |0002| in my shell, but I am
>> struggling to find the right settings to achieve optimal
>> compatibility between Windows, Linux, and Samba.
>>
>> For comparison, here are the permission settings for two directories:
>>
>>    *
>>
>>      |/mnt/shared/Office 2013|:|drwx------ 2 john_johnk john_johnk
>> 4096 Apr 8 2022|
>>
>>    *
>>
>>      |/mnt/shared/partage_de_fichiers|:|drwxrws--- 4 john_johnk
>> sharedaccess 4096 Oct 15 18:56|
> What are the permissions set on /mnt/shared ?
> Also, why is the share there, is it mounted from somewhere else ?
> If so, where and what is the filesystem.
>
> Rowland
>
>

On Wed, 16 Oct 2024 14:45:50 +0200
Jonathan Szalavecz via samba <samba at lists.samba.org> wrote:
> Hi Rowland,
> 
> Thank you for your feedback. I apologize for not including the global 
> section in my previous message. Here it is:
> 
> [global]
>  ?? min protocol = SMB3
>  ?? workgroup = WORKGROUP
> 
> 
> As you can see, there isn?t much in the global section.
> 
> To answer your question about the permissions on |/mnt/shared|, here
> are the settings:
> 
> drwxrwxr-x 30 john_johnk sharedaccess 4096 Oct 15 23:42 shared
> 
> 
> The directory is mounted from an external disk (|/dev/sdb1|), and it
> is not part of the local filesystem
> 
> john_johnk at raspberrypi:~ $ lsblk
> NAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
> sda           8:0    0  1.8T  0 disk
> ??sda1        8:1    0  1.4T  0 part /mnt/mirror
> ??sda2        8:2    0  466G  0 part /mnt/restic
> sdb           8:16   0  1.8T  0 disk
> ??sdb1        8:17   0  1.8T  0 part /mnt/shared
> mmcblk0     179:0    0 59.7G  0 disk
> ??mmcblk0p1 179:1    0  256M  0 part /boot
> ??mmcblk0p2 179:2    0 59.4G  0 part /
> 
> I also wanted to mention that I'm not familiar with the Apple
> environment, so I'm unsure if the following settings are necessary
> for my wife to read and write in|/mnt/shared/partage_de_fichiers|:
> 
> easupport =yes
> vfsobjects = catia fruit streams_xattr
> fruit:delete_empty_adfiles =yes
> fruit:metadata = stream
> fruit:model = MacSamba
> fruit:nfs_aces =no
> fruit:posix_rename =yes
> fruit:veto_appledouble =no
> fruit:wipe_intentionally_left_blank_rfork =yes
> 
> I appreciate your help in resolving this issue!
> 
> Best regards,
> 
On the face of it:
anyone can traverse to /mnt/shared
only john_johnk can traverse to /shared/Office 2013
only john_johnk and members of the sharedaccess group can traverse to
/mnt/shared/partage_de_fichiers and all files will be saved with the
group of the parent directory, here 'sharedaccess'

So you should be getting what you require, but you aren't.

When I asked 'what is the filesystem', I meant, is a Windows one (vfat
etc) or a Linux one (ext4 etc).

I would change your smb.conf to this:

[global]
 ?? workgroup = WORKGROUP
 ?? vfs objects = catia fruit streams_xattr
 ?? fruit:delete_empty_adfiles = yes
 ?? fruit:metadata = stream
 ?? fruit:nfs_aces = no
 ?? fruit:veto_appledouble = no
 ?? fruit:wipe_intentionally_left_blank_rfork = yes
 ?? 
[DatabaseShare]
 ?? comment = Database File Share
 ?? path = /mnt/shared/partage_de_fichiers
 ?? read only = no
 ?? create mask = 0660
 ?? directory mask = 0770
 ?? force group = sharedaccess
 ?? force create mode = 0660

It is basically yours but with the defaults removed and other lines in
the correct place.

Rowland