[Samba] A shared space between students and their teacher !!!

Matthew Easton info at sublunar.com
Sat Jul 9 19:47:28 GMT 2005 

On Saturday 09 July 2005 06:56, alaanizar at iihem.ac.ma wrote:
> Hi all,
>
> Last week I implemented samba a sa file server and domain controller for
> more than 150 computers (Win 2000 and XP). Everything is working just fine.
>
> However, computer science faculty wanted a share for each course in which
> students can upload their homework once done and teacher download them for
> correction. Yet, students can have the right to write on that share but not
> delete the work of other students.

What you want is a drop box.  A directory that has permisions such that 
students can write but not read.  The instructor will have to move the file 
somewhere else for the student to get it back.  Perhaps into the student's 
own dropbox.  

This will get you started, I don't consider it a complete solution as I''m 
dealing only with the unix permissions of the directory-- you'll want to 
investigate how it interacts with the samba share directives.

In this scenario, Dr. Smith in addition to any faculty-only group he may be a 
member of, is also a member of the cs201 group.  (cs201 is a group containing 
all students of the cs201 course) -- so he can read and write to the files he 
receives.

	You create a directory [cs201dropbox] and give ownership to Dr. Smith, and 	
	group ownership to cs201.  

[root at localhost home]# mkdir cs201dropbox
[root at localhost home]# chown smith.cs201 cs201dropbox

	Change permissions on the directory to restrict access, notice that the group 
	can write to and pass through the directory (x) but cannot read it:

[root at localhost home]# chmod u=rwx,g=wx,o-rwx cs201dropbox

	We can set the sgid bit on the directory.  This forces files written to 
	the directory to be owned by the group of the enclosing directory.  
	Because "cs201" may not be the primary group of 
	the person writing to the directory. :

[root at localhost home]# chmod g+s cs201

	We set the sticky bit so only the owner of the directory can 
	change the files.

[root at localhost home]# chmod +t cs201dropbox

	So this is what it looks like now.  Members of group cs201 can write 
	but not read the directory.  Smith can do anything he wants in the 
	directory.  If you aren't Dr. Smith or a member of cs201, you can't 
	do anything.  (well superuser is still superuser):

[root at localhost home]# ls -ld cs201dropbox
drwx-ws--T    5 smith  cs201        4096 Jul  9 11:25 cs201dropbox

	If you blindly write to the directory and a file of the same name 
	exists, you will be told you can't do it, so change the file name and 
	you can write.

I should point out that you can use the suid bit to force ownership instead 
of, or in addition to, the sgid bit. 

Now that you have the underlying permissions sorted out, you can address the 
samba side.

More information about the samba mailing list