[Samba] sticky bit, etc.

Thu Oct 31 13:50:01 GMT 2002

Problem is, with standard unix permissions, renaming a file is a matter 
of writing to the directory.  You can have a file owned by root:root and 
chmodded to 000, and any non-priveledged user would still be able to 
rename that file if they had write access to the directory.  If a user 
has enough access to create a file in the directory, they have enough 
access to rename files in that directory... for more fine-tuning you 
need to bring ACL's into the mix.

~ Daniel

ypismerov at tucows.com wrote:

>
>jef dodson wrote:
>
>>ok, that works to disallow non-owners from renaming the file, but what I would
>>like to do is disallow EVERYONE ( including the owner of the file ) from
>>editing, moving, or changing the filename once it is created.  the only person
>>who should be able to make those changes is a special user.  any ideas about
>>how to accomplish that?  Thanks.
>>
>
>
>Yeah, I realized that after I pressed Enter...
>To me it looks like it can be done with ACLs only.
>Or you can try postexec or cron script that will change ownership on the
>files.
>Looks kinda ugly, but it should work.
>
>>--- Yura Pismerov <ypismerov at tucows.com> wrote:
>>
>>>
>>>Yura Pismerov wrote:
>>>
>>>>jef dodson wrote:
>>>>
>>>>>I have a question about samba and sticky bits.  I have a share with the
>>>>>following configuration:
>>>>>
>>>>>[documents]
>>>>>  comment = documents
>>>>>  path = /shares/documents
>>>>>  public = no
>>>>>  writeable = yes
>>>>>  printable = no
>>>>>  valid users = @lan1
>>>>>  force user = docadmin
>>>>>
>>>>^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>>
>>>>        That is why.
>>>>        No matter what username is, it will be forced to docadmin, so the
>>>>sticky bit does not make much sense since the user who is manipulating
>>>>the file is the owner of the file form the OS point of view.
>>>>        To achieve what you want you need to remove "force user".
>>>>
>>>
>>>      Yeah, and create mode should be 0640 in this case.
>>>
>>>>>  force group = lan1
>>>>>  create mode = 0440
>>>>>  force create mode = 0440
>>>>>  directory mode = 1770
>>>>>  force directory mode = 1770
>>>>>  delete read only = no
>>>>>
>>>>>I also have the sticky bit set on /shares/documents.
>>>>>
>>>>>Now, when I drop the file 'test.txt' in the directory, it has the
>>>>>
>>>following
>>>
>>>>>permissions:
>>>>>
>>>>>-r--r-----    1 docadmin lan1            4 Oct 29 17:45 test.txt
>>>>>
>>>>>Now, When I login to the server via ssh as jdodson, the sticky bit on the
>>>>>directory prevents me from renaming the test.txt file.  However, when I
>>>>>
>>>login
>>>
>>>>>to the server from windows as jdodson, I can change the filename and move
>>>>>
>>>the
>>>
>>>>>file to another directory.  So, it seems that samba is ignoring the
>>>>>
>>>sticky bit
>>>
>>>>>on the /shares/documents directory.
>>>>>
>>>>>The ultimate goal for the behavior of the directory is this:
>>>>>
>>>>>when someone drops a file in the directory or subdirectory, it becomes
>>>>>read-only so that it can't be edited, moved, or renamed by anyone except
>>>>>
>>>for a
>>>
>>>>>special user with admin priveleges.
>>>>>
>>>>>__________________________________________________
>>>>>Do you Yahoo!?
>>>>>HotJobs - Search new jobs daily now
>>>>>http://hotjobs.yahoo.com/
>>>>>--
>>>>>To unsubscribe from this list go to the following URL and read the
>>>>>instructions:  http://lists.samba.org/mailman/listinfo/samba
>>>>>
>>>>--
>>>>To unsubscribe from this list go to the following URL and read the
>>>>instructions:  http://lists.samba.org/mailman/listinfo/samba
>>>>
>>__________________________________________________
>>Do you Yahoo!?
>>HotJobs - Search new jobs daily now
>>http://hotjobs.yahoo.com/
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions:  http://lists.samba.org/mailman/listinfo/samba
>>

-------------- next part --------------
HTML attachment scrubbed and removed