[Samba] Windows file permission abilities?
smc+samba at dogphilosophy.net
Wed Mar 9 03:48:24 GMT 2005
On Tuesday 08 March 2005 07:08 pm, Aaron P. Martinez wrote:
> Most importantly i'm wondering if it can implement the create dir/append
> to file permissions. My client wants users to be able to create files
> on the server but have only a few people who can actually delete the
> files. I thought about using the "force user" and umask properties, but
> wondered if when using samba as a domain controller the file permissions
> would be the same as window's file permissions or if that is a function
> of ntfs and samba always uses the unix file permissions.
I'm trying to find this out myself on behalf of a Windows guy who is trying to
do this for some reason. To be honest, I'm still not sure what good it does
- if you can WRITE to a file, you can effectively delete it. (Overwrite it
with a different file and rename it. Literally no different than deleting
the original file then writing a new one, if NTFS handles deletions the same
way that FATxx does (new file begins writing in the spot last vacated by the
most recently deleted file...). As far as I know, "append only" isn't very
useful for most file - if I understand correctly (for example) when you load,
edit, and save a "Microsoft Word" file, it completely re-writes the file, it
doesn't just add changes to the end. (The one possible use for append-only
that I can think of would be for plain-text log files...)
Nonetheless, somewhere along the way I got the impression that Samba would
store the windows permissions bits as extended attributes, just as it does
(or at least can) with DOS attributes. I'm not sure where I got this
impression, though, and even if it stores the attributes I don't know if it
Nobody's stepped up yet to say one way or another whether Samba handles
Windows file permissions or not in the last couple of days since the question
> Second thing that the client is requesting is for files on the server to
> not be able to be copied to a remote storage device (prevent theft).
> Lets say the user is at a workstation and her logon permits her to read
> a specific file on the samba server. She has a dvd burner or a usb
> external drive, he doesn't want her to be able to copy the file either
> directly to the device or to copy it to a local drive and then burn it.
> He does however want the user to be able to burn dvds of locally stored
> data, or from the user's samba $home directory. I suspect this isn't
> very feasible as if you can read the data you should be able to copy it
> to your local machine and then put it wherever you want, but i figured
> i'd doublecheck.
Literally impossible, as far as I know - as you say, if you can read it, you
can copy it somewhere else. One alternative that would take some bureaucracy
to implement would be to take away all "end-user" portable media (block off
the USB storage options, remove DVD-R's and CD-R's, etc.) and set up a
CENTRAL place, overseen by a trusted administrator, where users save files
that they want saved to portable media.
It'd be a huge hassle, but it WOULD at least give you controls over what files
get exported to portable media - if the data is sensitive enough it might be
More information about the samba