[Samba] Permissions problem - I am in the proper group but still can't create files

[Kyle Rabe]

On Wed, Jan 28, 2009 at 2:03 PM, Ryan Stille <ryan at cfwebtools.com> wrote:

> ...I was forcing the group "nobody" because I need files that are created
> through the samba share to be editable by the web server.


For this purpose, I would use the "www-data" group or something similar.
The "nobody" group, in my mind, should not be able to do much of anything,
but perhaps that's a matter of preference.


> Would you suggest just adding "nobody" to the "users" group?


This wouldn't help you.  You are forcing samba to use the group "nobody",
but the files are not owned by the group "nobody".  When forcing the user
and group, you need to 1) make the forced user match the owner of the files
or 2) make the forced group match the group that owns the files.  Otherwise,
your authenticated user only has access to the world permissions because
he/she is not the owner or group that corresponds with the files in
question.

I would suggest thinking about the following:

1. Who should own the files?

This is currently "root".  You don't want Samba to use the root account (for
security reasons), so you cannot use the owner permissions on the files and
directories to determine what an authenticated Samba user can or can't do.
If you find that another owner would make sense, then you can chown the
files and make the "force user" directive match.

2. What group should own the files?

It sounds like you need a group that both the authenticated Samba user and
the web server user are a part of.  I personally would not use "nobody", and
even the "users" group has fairly widespread permissions for my taste.  I
prefer a web server operating under the "www-data" group, so I would chgrp
the files and directories within the share to this account and use the
"force group = www-data" directive to allow the authenticated Samba user to
perform operations on this share using the filesystem group permissions.

-Kyle