Samba and read-only attribute

[Daniel O'Callaghan]

I've installed a samba fileserver for a client, and it seems that in
scoping the job I failed to discover that the customer makes extensive use
of the read-only attribute with the old NT file server, setting RO on
files which should not be accidentally changed.  

The problem lies in the fact that with the old system any user who had rw
access to the directory and the files in it could also set the RO
attribute.  With FreeBSD (and most (all?) unices), only the owner can
change the permissions on a file.

I've read the samba docs and everywhere it seems to say that samba is
never less restrictive than the underlying Unix filesystem.  I've e-mailed
the samba mailling list and heard nothing.  I've looked at "security mask"
and "usermap" and "admin user", but they don't do what I need.

Does anyone have any idea how I can provide the customer with the desired
functionality?  I'm prepared to hack the samba code and the ufs code if
necessary, but I'd prefer not to do that, of course.

Surely this problem has come up for other people?

What I'm thinking of is possibly something like "if the user is a member
of the file's group, and a member of the directory's group and the
directory has group write access, and the file is not suid or sgid, then
allow the user to set/reset the w bits of u and g, and to reset the w bit
of o."

I'm sure that the concept can be tidied up a bit, but I'm thinking along
the lines of "allow the user to change the w perms if the user has
permission to delete the file and recreate it in the same place with the
same name and same contents.

In effect it is just being pragmatic about permissions changing.

Please respond quickly. There is urgency in resolving this issue.

Thanks,

Danny



To Unsubscribe: send mail to majordomo at FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message