Samba and UNIX permissions

Cole, Timothy D. timothy_d_cole at md.northgrum.com
Thu Jul 29 20:28:34 GMT 1999 

> -----Original Message-----
> From:	Larry McElderry [SMTP:larry at ptcoupling.com]
> Sent:	Thursday, July 29, 1999 14:27
> To:	Multiple recipients of list SAMBA-NTDOM
> Subject:	Samba and UNIX permissions
> 
> The delete readonly parameter is supposed to allow/prevent users from
> deleting files to which they only have read access.
> 
	I believe it is actually only prevents users from deleting files
that they own that they only have read access to.  I agree, the current
behavior is probably not the most desirable one.

> However,  consider this
> file:
> -rw-rw-r--   1 root     dpdev           6 Jul 29 10:08 xx.txt
> 
> Joe logs in through samba PDC and is not a member group dpdev.  Goes to
> the
> share containing this file and deletes it from Windows Explorer.
> 
> Now root's all PO'd because Joe deleted his file.
> 
	Why is root putting valuable files where Joe can delete them?

> I realize this is the default behavior for Linux (which does not
> particularly endear me to Linux),
> 
	This is normal behavior for Unix in general.  The reasoning behind
it runs something like:

	1. when you add/remove files from a directory, you are writing to
(modifying) the directory,
	   not the file (there may be other links to the file, so removing a
link from a directory
	   does not always imply deleting it)

	   - you should be able to delete anything from a directory you have
write permission to

	2. a user has full control over the files and directories they own

	   - if a bunch of people have write access to a directory you own,
you should still have some say over what goes there

	3. if you have a publicly writable directory (i.e. /tmp) that a lot
of different people use, then you might want to set the sticky bit on the
directory.  That will prevent anyone but the owner of the directory, root,
and the owner of the file from deleting a file from the directory.

	   - in really public directories, just because a person can put
files in the directory doesn't mean they should be able to delete other
people's things from the same directory

	[ to set the sticky bit on a directory, use "chmod o+t directory" ]

> but shouldn't setting the delete readonly = false prevent this?  Setting
> permissions to 464 does prevent deletion,  but has the nasty side effect
> of
> not allowing and Windows user to change the file.  Using group permissions
> this used to work in Samba  -  what happened?
> 
	I think the mapping of the readonly attribute changed; it now only
corresponds to the opposite of the 'owner write' bit.

More information about the samba-ntdom mailing list