[Samba] write only permissions

Steve Rippl rippls at woodlandschools.org
Tue Sep 16 18:33:20 GMT 2008 

On Mon, 2008-09-15 at 15:40 -0700, Jeremy Allison wrote:

> On Mon, Sep 15, 2008 at 01:57:55PM -0700, Steve Rippl wrote:
> > Hi,
> > 
> > We've just put in a Samba fileserver to replace our windows box for our
> > School District and it seems to be working great.  I have a question
> > about defining some specific permissions though.  We set up 'Drop boxes'
> > for teachers that kids can drag files into, but they don't have read
> > permission so they can't read each others submitted work.  Here's what
> > is looks like on the fileserver
> > 
> >  root at wsdfile:/srv/materials/WHS/VanCleek# getfacl Drop_Box/
> > # file: Drop_Box
> > # owner: admin
> > # group: domain\040admins
> > user::rwx
> > user:vancleek:rwx
> > group::rwx
> > group:whs\040student:-wx
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:vancleek:rwx
> > default:group::rwx
> > default:group:whs\040student:-wx
> > default:mask::rwx
> > default:other::---
> > 
> > and the view through windows security tab shows Traverse folder/Create
> > Files/Write Attributes/Write Extended Attributes/Read permissions.
> > Needless to say this doesn't seem to work!  The student account (in the
> > right group) is not allowed to drop a file into that folder.  If I add
> > g:wsd\\whs\ Student:rwx then the student can do anything sucessfully,
> > with -wx nothing?!!
> > 
> > Can anyone help?
> 
> Ok, the problem is that students need to be able to read
> the containing directory in order to be able to drag and
> drop new files there. The reason is that Samba needs to
> be able to scan the directory on their behalf in order
> to do case insensitive lookups.
> 
> But so long as you don't mind allowing the students to
> see the names of each others files, you can set up a
> DropBox so that students can write into it (and their
> own files) but not edit or see others files.
> 
> Firstly, you want to make sure that files created in
> the DropBox directory are not owned by the student's
> primary group, but by the group owner of the DropBox
> direcotry. So :
> 
> chgrp teachers DropBox
> 
> to make it owned by the teachers group. Then set the
> setgid bit on the DropBox directory to make sure
> that files created within there have an owning group
> of teachers.
> 
> chmod g+s DropBox
> 
> Then ensure that a file in DropBox can be renamed
> or deleted by only the owner of the file, or by the
> owner of the directory, or by root (same permissions
> that /tmp has).
> 
> chmod +t DropBox
> 
> Then allow students to write into the directory
> by adding an ACL
> 
> setfacl -m g:students:rwx DropBox
> 
> So long as the defaul acl is set so that "others"
> have no permissions, files written by a student
> into that directory will be owned by themselves
> but will have an owning group of "teachers", and
> students will not be able to read each others
> files.
> 
> If you need to be cause the files to be owned
> by the owner of the directory, not by the students
> who created them you need to set up a separate
> share as described above, but then add the
> share level parameter :
> 
> inherit owner = yes
> 
> which will cause files created within the
> directories in that share to be owned by
> the containing directory, not the creating
> owner.
> 
> Hope this helps,
> 
> Jeremy.


Works like a charm!  
Many thanks.

More information about the samba mailing list