Samba and read-only attribute
paul at profax.co.nz
Fri Oct 8 00:02:46 GMT 1999
> I've installed a samba fileserver for a client, and it seems that in
> scoping the job I failed to discover that the customer makes extensive use
> of the read-only attribute with the old NT file server, setting RO on
> files which should not be accidentally changed.
> The problem lies in the fact that with the old system any user who had rw
> access to the directory and the files in it could also set the RO
> attribute. With FreeBSD (and most (all?) unices), only the owner can
> change the permissions on a file.
> I've read the samba docs and everywhere it seems to say that samba is
> never less restrictive than the underlying Unix filesystem. I've e-mailed
> the samba mailling list and heard nothing. I've looked at "security mask"
> and "usermap" and "admin user", but they don't do what I need.
> Does anyone have any idea how I can provide the customer with the desired
> functionality? I'm prepared to hack the samba code and the ufs code if
> necessary, but I'd prefer not to do that, of course.
> Surely this problem has come up for other people?
> What I'm thinking of is possibly something like "if the user is a member
> of the file's group, and a member of the directory's group and the
> directory has group write access, and the file is not suid or sgid, then
> allow the user to set/reset the w bits of u and g, and to reset the w bit
> of o."
> I'm sure that the concept can be tidied up a bit, but I'm thinking along
> the lines of "allow the user to change the w perms if the user has
> permission to delete the file and recreate it in the same place with the
> same name and same contents.
> In effect it is just being pragmatic about permissions changing.
> Please respond quickly. There is urgency in resolving this issue.
We had a similar requirement. Essentially, for changing attributes to work,
all the files need to have the same owner and all access via samba needs to
be 'as' that owner.
Admittedly, samba could probably be changed to have different semantics (and
there may already be a way to do this) but here is the solution we presently
Add a user to be the share owner. Ensure that all the files within a given
share have the nominated owner via a quick chown as root. For that share,
add a 'force user = <share owner>' to your smb.conf and the problem is
solved - anyone who can access said share can now change file attributes.
More information about the samba-technical