setting permissions...

David Lee T.D.Lee at durham.ac.uk
Tue Jun 1 11:32:18 GMT 1999 

Re:

> Date: Tue, 1 Jun 1999 16:20:13 +0800 (JST)
> From: "Francis A. Vidal" <francis at usls.edu>
> To: Samba List <samba at samba.org>
> Subject: setting permissions...
> 
> [...]
> SHARE:
> 
> [answers]
>    |
>    +--- 1 ---+-- date1
>    |         |
>    |         +-- date2
>    |
>    +--- 2 ---+-- date1
>              |
>              +-- date2
> 
> GROUPS: faculty, students
> PATH: /home/samba/shares/answers
> 
> ./answers/		(faculty can create subdirectories, files, etc. but
> 			no write access to students)
> 
> ./answers/1		(faculty can create subdirectories, files, etc. but
> 			no write access to students)
> 
> ./answers/1/date	(faculty can create subdirectories, files, etc.
> 			but write-only access to students -- no reading,
> 			user cannot delete the file once it has been 
> 			saved, no creation of directories)
> 
> can this be done? what will the necessary permissions be on the
> directories? the creation mask? thanks all!

Hmmm...  The last bit ("write-only access to students ... user [presumably
the creating student] cannot delete") sounds tricky.  In UNIX, file
creation and deletion both invoke a write on the directory itself:  if I
can create an object (within a directory), then I can delete it.  And if
the directory allows me to create a file, then I can create a subdirectory:
there is no distinction. 

[ Possible diversion, so feel free to ignore ...

Related to this might be a feature I prepared a few months ago under
2.0.2, and which I recently formalised as a patch under 2.0.4 which I
submitted to the Samba team recently (although I have not yet heard from
them ... hint!).

This is tentatively entitled "inherit mode", and is complementary to (i.e. 
alternative to) "create mask", "directory mode" etc.  It basically copies
permissions of new (or re-created) files from the parent directory.  Files
inherit read/write bits, directories inherit all bits.  This allows us to
set up the home directory for each of our 15,000 users to be as private as
possible (711), but within that for us to set up for each a "public_html"
subdirectory as 755.  Generally all new files will, rightly, be private
(600), except those in "public_html" which will, rightly, be public (644). 

It also allows the user to create their own directories with special modes
(e.g. group), and for things within that hierarchy to inherit similar
modes (i.e. what an ordinary user without higher degrees in Comp.Sci. and
UNIXology might naturally expect).

... end diversion ]

Forgetting about samba just for a moment...  Assume all your staff and
students were working natively on UNIX.  How would you use UNIX
permissions to achieve your goals?  Is it even possible?  (I suspect not,
at least in its entirety.)  Only when you've worked out your UNIX model
can you begin to work out the samba mappings.

[ Note: the "inherit mode"  patch described above falls outside the pure
UNIX model, but in our version of userland (UNIX is hidden!), its
potential benefits far outweigh the drawbacks. ]

Hope that helps.

--

:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  Phone:    +44 191 374 2882 (ddi)         South Road            :
:  Fax:      +44 191 374 7759               Durham                :
:  Internet: T.D.Lee at durham.ac.uk           U.K.                  :

More information about the samba mailing list