PDA

View Full Version : Samba share permissions problem



gfellerj
08-Apr-2014, 14:52
Hello,

I have a samba share created for our department students and have been getting complaints that once a user creates a file that another use doesn't have access to make changes to the file and then save it. I want the user group I created to have full access to all these files and be able to make changes... I am fairly new to the Linux world and am not sure what I need to change... Thanks in advance for any guidance!

jmozdzen
08-Apr-2014, 15:43
Hello,

I have a samba share created for our department students and have been getting complaints that once a user creates a file that another use doesn't have access to make changes to the file and then save it. I want the user group I created to have full access to all these files and be able to make changes... I am fairly new to the Linux world and am not sure what I need to change... Thanks in advance for any guidance!

You need to make sure that the group permission is keeping/setting the "w" bit. Please have a look at "man smb.conf", "create mask" parameter which by default masks that bit (0744 means "keep all user permissions as requested, but only grant read to group and others, if requested at all") and "force create mode", where "0020" would always add the "group write" permission bit.

If there may be users that can write into that share, but are members of a different group than the students, looking at "force group" might be a good idea, too.

With regards,
Jens

gfellerj
08-Apr-2014, 16:09
Than you, I need to learn more about security masks etc. But this is what I have now under that share.

[common]
comment = Common Volume
inherit acls = Yes
force create mode = 0777
security mask = 0777
directory security mask = 0777
force directory mode = 0777
#force security mode = 0
#force directory security mode = 0
path = /common/
read only = No
writeable = Yes

jmozdzen
08-Apr-2014, 16:24
Hi gfellerj,

Than you, I need to learn more about security masks etc. But this is what I have now under that share.

[common]
comment = Common Volume
inherit acls = Yes
force create mode = 0777
security mask = 0777
directory security mask = 0777
force directory mode = 0777
#force security mode = 0
#force directory security mode = 0
path = /common/
read only = No
writeable = Yes

while it may currently work for you, it's not a solution. You're opening everything to anyone and even have text documents marked as executables (777 -> rwx for user, group, others. 660 would be rw for user and group, nothing for others).

It's like saying that you don't have a key to your company safe for all those that need access, so you rather leave it unlocked (as well as the doors to the rooms and building).

Always keep permissions to a bare minimum required. You said the group needs write access to the files, so set "force create mode = 0020", which will add that single permission bit. If you need the same for directories, set that to 0770. If not all users belong to the target group (but have write access anyhow), force the group ownership. Nothing more.

Regards,
Jens