Results 1 to 3 of 3
Thread: Permissions on Samba
Enjoy an ad free experience by logging in. Not a member yet? Register.
- Join Date
- Oct 2006
Permissions on Samba
Say I have two users - "alpha" & "bravo". They are both part of the group "users". They run Windows 2000.
If alpha creates a file (e.g. text.txt), it has permissions 0755. This means that bravo can read it but can't write it, can only save a copy - which alpha can then read, but again, can't save with the same name.
How can I setup smb.conf to have files created by anyone have permissios 0777?
Many thanks for any responses.
- Join Date
- Oct 2006
I have now got this working satisfactorily, the relevant section in /etc/samba/smb.conf now reads :
comment = Shared Data
inherit acls = No
directory mask = 0770
create mask = 0770
path = /sharedata
read only = No
I had tried adding the "create mask = 0777" command in smb.conf and it didn't seem to work. I then wandered off trying to work out how "inherit acls" worked - and got nowhere.
Whilst on my journey of discovery, in the Samba documentation and an O'Rielly book (I do love Tim O'Reilly), I also happened across "force create mode = 0770" and "force directory mode = 0770". Having now resolved the problem, I didn't follow up on this.
One thing puzzles me. In various references, it suggests using :
directory mask = 0777
create mask = 0777
I don't care about permissions for the "World" so used 0770. However, under Linux, the permissions flags on created or saved files are always shown as -rwxrw---- (which is fine for my purposes), the created Directory flags are shown as drwxrwx---
From this, I guess I should / could be using "create mask = 0760". What Puzzles me is why the "group" execute flag has been cleared? Any explanation? This really isn't important as I am happy now anyhow, but I am curious.
One other puzzle - I get the impression that if userA opens a file for editing, it can also be opened (at the same time) for editing by userB - i.e. no file locks are applied - is there a way around this?
The reason your execute flag is being cleared is because you're using 'force directory mode' but not 'force create mode' - this second entry fixes file permissions to what you specify, not just directory permissions.
Remember that the 'forced' mode is logial ORed into the file mask so you might just need to use '070' for your forced create mode, that way you preserve the file permissions set by the writing app or tool, and only change the group permissions, as they are the ones that are broken. Try playing with this setting to see it's effect.
An alternative solution to the approach that you used would be to add a 'force group = users' line to the share definition, which would have ensured all files are created with the 'users' group. You'd need 'force create mode' again to complete the solution - and you can use the same technique to keep other users out of the files by being creative with the group naming you apply and by keeping your groups up to date.Linux user #126863 - see http://linuxcounter.net/