[Samba] sticky bit, etc.
daniel.jarboe at custserv.com
daniel.jarboe at custserv.com
Thu Oct 31 13:50:01 GMT 2002
Problem is, with standard unix permissions, renaming a file is a matter
of writing to the directory. You can have a file owned by root:root and
chmodded to 000, and any non-priveledged user would still be able to
rename that file if they had write access to the directory. If a user
has enough access to create a file in the directory, they have enough
access to rename files in that directory... for more fine-tuning you
need to bring ACL's into the mix.
~ Daniel
ypismerov at tucows.com wrote:
>
>jef dodson wrote:
>
>>ok, that works to disallow non-owners from renaming the file, but what I would
>>like to do is disallow EVERYONE ( including the owner of the file ) from
>>editing, moving, or changing the filename once it is created. the only person
>>who should be able to make those changes is a special user. any ideas about
>>how to accomplish that? Thanks.
>>
>
>
>Yeah, I realized that after I pressed Enter...
>To me it looks like it can be done with ACLs only.
>Or you can try postexec or cron script that will change ownership on the
>files.
>Looks kinda ugly, but it should work.
>
>>--- Yura Pismerov <ypismerov at tucows.com> wrote:
>>
>>>
>>>Yura Pismerov wrote:
>>>
>>>>jef dodson wrote:
>>>>
>>>>>I have a question about samba and sticky bits. I have a share with the
>>>>>following configuration:
>>>>>
>>>>>[documents]
>>>>> comment = documents
>>>>> path = /shares/documents
>>>>> public = no
>>>>> writeable = yes
>>>>> printable = no
>>>>> valid users = @lan1
>>>>> force user = docadmin
>>>>>
>>>>^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>>
>>>> That is why.
>>>> No matter what username is, it will be forced to docadmin, so the
>>>>sticky bit does not make much sense since the user who is manipulating
>>>>the file is the owner of the file form the OS point of view.
>>>> To achieve what you want you need to remove "force user".
>>>>
>>>
>>> Yeah, and create mode should be 0640 in this case.
>>>
>>>>> force group = lan1
>>>>> create mode = 0440
>>>>> force create mode = 0440
>>>>> directory mode = 1770
>>>>> force directory mode = 1770
>>>>> delete read only = no
>>>>>
>>>>>I also have the sticky bit set on /shares/documents.
>>>>>
>>>>>Now, when I drop the file 'test.txt' in the directory, it has the
>>>>>
>>>following
>>>
>>>>>permissions:
>>>>>
>>>>>-r--r----- 1 docadmin lan1 4 Oct 29 17:45 test.txt
>>>>>
>>>>>Now, When I login to the server via ssh as jdodson, the sticky bit on the
>>>>>directory prevents me from renaming the test.txt file. However, when I
>>>>>
>>>login
>>>
>>>>>to the server from windows as jdodson, I can change the filename and move
>>>>>
>>>the
>>>
>>>>>file to another directory. So, it seems that samba is ignoring the
>>>>>
>>>sticky bit
>>>
>>>>>on the /shares/documents directory.
>>>>>
>>>>>The ultimate goal for the behavior of the directory is this:
>>>>>
>>>>>when someone drops a file in the directory or subdirectory, it becomes
>>>>>read-only so that it can't be edited, moved, or renamed by anyone except
>>>>>
>>>for a
>>>
>>>>>special user with admin priveleges.
>>>>>
>>>>>__________________________________________________
>>>>>Do you Yahoo!?
>>>>>HotJobs - Search new jobs daily now
>>>>>http://hotjobs.yahoo.com/
>>>>>--
>>>>>To unsubscribe from this list go to the following URL and read the
>>>>>instructions: http://lists.samba.org/mailman/listinfo/samba
>>>>>
>>>>--
>>>>To unsubscribe from this list go to the following URL and read the
>>>>instructions: http://lists.samba.org/mailman/listinfo/samba
>>>>
>>__________________________________________________
>>Do you Yahoo!?
>>HotJobs - Search new jobs daily now
>>http://hotjobs.yahoo.com/
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions: http://lists.samba.org/mailman/listinfo/samba
>>
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the samba
mailing list