[Samba] Question on "read only" behavior in smb.conf
Sullivan, James (NIH/CIT)
sullivan at mail.nih.gov
Fri Sep 26 21:59:13 GMT 2003
Hi All,
I've built Samba v2.2.8a on a RedHat 7.2 system and it seems to work ok.
However
I cannot understand the "read only" parameter in the following situation:
smb.conf file:
-------------------
[global]
security=user
encrypt passwords=yes
[foo]
path=/tmp/foo
read only=yes
The owner&mode of /tmp/foo is:
------------------------------------------
% ls -ld /tmp/foo
drwx-r-xr-x 3 joe joe 1024 Sep 23 13:52 /tmp/foo
I've setup a smbpasswd file containing users "joe" and "sue", both with
passwords.
I can connect to \\mymachine\foo as "joe" or "sue" ok from my Windows 2000
PC.
I connect it to drive K: and can see all the files in /tmp/foo.
However:
-when connected via samba as "joe" I can successfully paste files into
/tmp/foo. (not expected)
-when connected via samba as "sue" I cannot paste files into /tmp/foo.
(expected)
It appears the UNIX file permissions are overriding the Samba configuration.
I thought Samba worked the other way around but without allowing more rights
than the UNIX permissions provide.
In other words, why does "joe" have write access to a samba service defined
as "read only" in the samba configuration?
I also checked the "Properties/Security" of the share from my Windows 2000
PC and it says:
Allow Joe Full Control
Allow Everyone Read & Execute
If this is how it is supposed to work then life gets difficult in the
following circumstance:
If I have a directory I want to make mountable from Samba as read only,
I need to be careful and check all directory and file permissions to ensure
no one connecting
via Samba will have a UNIX write permission that overrides the Samba setting
of "read only".
Is this correct behavior for Samba? Is there a way to make a service truely
read only no matter
who is connected and who ownes the files? I also discovered that if sue's
group matches the group
ownership of /tmp/foo, then sue has write access IF /tmp/foo is group
writeable.
Thanks in advance. Samba set up quickly and seems to work great, except for
this
little bit of strangeness.
-Jim
----------------------------------------------------
James E. Sullivan | Northrop Grumman IT
Building 12B | on site at: NIH/CIT/DCSS/SOSB
Room 2N207 | Phone:301-451-6372
Bethesda, MD 20892 | Email:sullivan at mail.nih.gov
-----------------------------------------------------
More information about the samba
mailing list