[Samba] Question on "read only" behavior in smb.conf

Sullivan, James (NIH/CIT) sullivan at mail.nih.gov
Fri Sep 26 21:59:13 GMT 2003 

Hi All,

I've built Samba v2.2.8a on a RedHat 7.2 system and it seems to work ok.
However
I cannot understand the "read only" parameter in the following situation:

smb.conf file:
-------------------
[global]
   security=user
   encrypt passwords=yes
[foo]
   path=/tmp/foo
   read only=yes
   
The owner&mode of /tmp/foo is:
------------------------------------------
% ls -ld /tmp/foo
drwx-r-xr-x  3  joe  joe  1024  Sep  23  13:52  /tmp/foo

I've setup a smbpasswd file containing users "joe" and "sue", both with
passwords.
I can connect to \\mymachine\foo as "joe" or "sue" ok from my Windows 2000
PC.  
I connect it to drive K: and can see all the files in /tmp/foo.

However: 
-when connected via samba as "joe" I can successfully paste files into
/tmp/foo. (not expected)
-when connected via samba as "sue" I cannot paste files into /tmp/foo.
(expected)

It appears the UNIX file permissions are overriding the Samba configuration.
I thought Samba worked the other way around but without allowing more rights
than the UNIX permissions provide.
In other words, why does "joe" have write access to a samba service defined
as "read only" in the samba configuration?

I also checked the "Properties/Security" of the share from my Windows 2000
PC and it says:
Allow	Joe	Full Control
Allow	Everyone	Read & Execute

If this is how it is supposed to work then life gets difficult in the
following circumstance:
If I have a directory I want to make mountable from Samba as read only,
I need to be careful and check all directory and file permissions to ensure
no one connecting
via Samba will have a UNIX write permission that overrides the Samba setting
of "read only".

Is this correct behavior for Samba?  Is there a way to make a service truely
read only no matter
who is connected and who ownes the files?  I also discovered that if sue's
group matches the group
ownership of /tmp/foo, then sue has write access IF /tmp/foo is group
writeable.

Thanks in advance.  Samba set up quickly and seems to work great, except for
this 
little bit of strangeness.  

-Jim

	----------------------------------------------------
	James E. Sullivan   |  Northrop Grumman IT 
	Building 12B        |  on site at: NIH/CIT/DCSS/SOSB
	Room 2N207          |  Phone:301-451-6372
	Bethesda, MD 20892  |  Email:sullivan at mail.nih.gov    
   -----------------------------------------------------

More information about the samba mailing list