[Samba] PDC directory permission fail (Bino Oetomo)

Wed Jan 6 12:29:37 MST 2010

Bino,

The permissions should be 770 for directories.  They need execute
privileges for directories to be able to get access to the directories.
You should be able to set the files for 660 though I don't believe it
will keep windows from executing a file.

With 'force' before 'create mask' or 'directory mask' allows you to set
bits.  You should have 'create mask 660' to force files (other than
directories) to not allow setting of the execute bit.  And directories
should usually be 'force directory mask 770' with maybe a 'directory
mask 770' before this to prevent anyone allowing a directory to be
read/writeable by everyone.

James

-----Original Message-----
From: samba-bounces at lists.samba.org
[mailto:samba-bounces at lists.samba.org] On Behalf Of
samba-request at lists.samba.org
Sent: Wednesday, January 06, 2010 2:00 PM
To: samba at lists.samba.org
Subject: samba Digest, Vol 85, Issue 6

----------------------------------------------------------------------

Message: 1
Date: Wed, 06 Jan 2010 08:51:33 +0700
From: Bino Oetomo <bino at indoakses-online.com>
To: ?????? <mail_of_sergey at mail.ru>
Cc: samba at lists.samba.org
Subject: Re: [Samba] PDC directory permission fail
Message-ID: <4B43ECA5.1010801 at indoakses-online.com>
Content-Type: text/plain; charset=KOI8-R; format=flowed

Dear Serg and All
?????? wrote:
> Hello, Bino!
>
>   
>> I use webmin to do the samba PDC configuration
>>     
> IMHO, insuffisient
>   
Agree ...
I did some direct edit to conf file

>> [warehouse]
>>         comment = Files of warehouse
>>         writeable = yes
>>         path = /hdd2/samba/groupfiles/warehouse
>>
>> when I create that share via webmin i use option :
>> a. mode : 775
>> b. Create user : Root
>> c. Create Group : warehouse.
>>
>> 4. From my XP station , I login to that domain with user name "wh01",

>> the results is :
>> a. Successfull login
>> b. wh01 can create a file in the home directory (/home/wh01)
>>     
>
>   
>> But, wh01 can not write file to share "warehouse"
>>     
> Which permission to the new file? May be 644? :)
> IMHO, user have right to write directory, but have not right to write
file.
> Look man smb.conf for "force create mode", "force directory mode" or
http://wiki.samba.org/index.php/Frequently_Asked_Questions#inherit_permi
ssions
>
>   

Thankyou for your enlightment

I read that documentation, but I don't want uuser to be able to execute 
things in directory
So I chage the share to :
[warehouse]
    create mode = 660
    path = /hdd2/samba/groupfiles/warehouse
    directory mode = 660
    force group = warehouse

(and the dircory is auto created with user:group as root:warehouse)

Still the user with group "warehouse" can not access (event just "open")

the directory

so I try to delete the share ... manualy remove the dir , and re create 
the share (and dir) with :
[warehouse]
    create mode = 760
    path = /hdd2/samba/groupfiles/warehouse
    directory mode = 760
    force group = warehouse

Still the user with group "warehouse" can not access (event just "open")

the directory

Again,  I try to delete the share ... manualy remove the dir , and re 
create the share (and dir) with :
[warehouse]
    create mode = 770
    path = /hdd2/samba/groupfiles/warehouse
    directory mode = 770
    force group = warehouse

And ... voila ... the user can access (read-write) into the shares ...
But it'll means that the user can also "execute" somethings inside 
directory ... right ?

Why we need the "execute" bit in directory permission just to let the 
user to "read and write only" ?

Just fyi, my system is based on :
++ Ubuntu Jaunty
++ Samba 3.32

Sincerely
-bino-