[Samba] Who may delete a file ?

Pierre Dehaen dehaen at milano.drever.be
Fri Sep 13 12:17:01 GMT 2002


As I received no answer to my question, I went through the code and saw 
that the "delete readonly = No" (default) option will only refuse to delete a file 
if the DOS attribute readonly is enabled, which means when the owner, the 
group, and others don't have, all of them, the "w" right on the file.

Is it really neccessary to link the DOS readonly attribute to the unix readonly 
(no "w") access to _all_ users, and not only to the _current_ windows user ?

What do you think about the following changes in the can_delete function 
(based on the 2.2.5 version) ? When we have the "delete readonly = No" 
open, it will simply check if the user has write access to the file before 
allowing a delete.

-------------------------------------------------
diff -c reply.orig reply.c
*** reply.orig  Wed Jun 19 03:13:48 2002
--- reply.c     Fri Sep 13 13:55:32 2002
***************
*** 1984,1989 ****
--- 1984,1990 ----
        int smb_action;
        int access_mode;
        files_struct *fsp;
+       uint32 desired_access = DELETE_ACCESS;
  
        if (!CAN_WRITE(conn))
                return NT_STATUS_MEDIA_WRITE_PROTECTED;
***************
*** 1997,2002 ****
--- 1998,2004 ----
        if (!lp_delete_readonly(SNUM(conn))) {
                if (fmode & aRONLY)
                        return NT_STATUS_CANNOT_DELETE;
+               desired_access |= FILE_WRITE_DATA;
        }
  
        if ((fmode & ~dirtype) & (aHIDDEN | aSYSTEM))
***************
*** 2006,2012 ****
        unix_ERR_class = 0;
        unix_ERR_code = 0;
  
!       fsp = open_file_shared1(conn, fname, &sbuf, DELETE_ACCESS, 
SET_DENY_MODE
(DENY_ALL),
                (FILE_FAIL_IF_NOT_EXIST|FILE_EXISTS_OPEN), 0, 0, 
&access_mode, &
smb_action);
  
        if (!fsp) {
--- 2008,2014 ----
        unix_ERR_class = 0;
        unix_ERR_code = 0;
  
!       fsp = open_file_shared1(conn, fname, &sbuf, desired_access, 
SET_DENY_MOD
E(DENY_ALL),
                (FILE_FAIL_IF_NOT_EXIST|FILE_EXISTS_OPEN), 0, 0, 
&access_mode, &
smb_action);
  
        if (!fsp) {
-------------------------------------------------


Thanks for your help,
Pierre


On 10 Sep 2002 at 17:15, Pierre Dehaen wrote:

> Hi All,
> 
> I was checking the access rights and a problem (hence a question) 
> appeared: Who can delete a file through Samba ?
> 
> Suppose we have the following situation:
> drwxrwxrwx   john   finance   directory
> -rw-r--r--   jack   finance   directory/file
> 
> Under unix everyone can delete the file.
> 
> Under Samba, the documentation says (due to the Windows sementic) you 
> also need the write access to the file to be able to delete it. The "delete 
> readonly" option is set to "no" (default). John doesn't have the write access 
> but:
> - in the properties window, John won't see the Read-only attribute set;
> - John can't update the file;
> - and he can delete the file !
> 
> I don't consider the first point as normal but, okay, the "Using Samba" book 
> that comes with Samba says in chapter 5 that:
> "By default, Samba 2.0 sets this whenever a file does not have the Unix 
> owner write permission bit set. In other words, you can set this bit by 
> changing the permissions of the file to 555."
> 
> What I don't understand are the two other points: these are correct for the 
> unix semantic, not for the DOS/Windows one ! But the same book says:
> "DOS filesystems are not designed for multiple users, and so its designers 
> decided that read-only means "protected against accidental change, 
> including deletion," rather than "protected against some other user on a 
> single-user machine." So the designers of DOS prohibited removal of a read-
> only file. Even today, Windows file systems exhibit the same behavior."
> 
> 
> The result of all this is that the "delete readonly" option is only useful to the 
> owner of a file, not to anyone else !!!???
> 
> Do you have any idea how I could set the permissions so that a user has the 
> rights to create a file in a directory but not to delete the files of other people ? 
> I know about the stickybit, but it won't help on subdirectories created by users 
> unless I enable the inherit option which leads me to other problems...
> 
> Thaks in advance,
> Pierre
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 





More information about the samba mailing list