[Samba] hide unreadable files
Diego Alejandro Cheda
diegocheda at hotmail.com
Fri Nov 9 16:24:08 GMT 2007
Hi Charles! Thanks for your ideas!
I read this post http://lists.samba.org/archive/samba/2007-July/133723.html and found some similarities with the behavior of my configuration. For example, sometimes a user can delete files or directories with "r-x" permissions. Then, I upgrade to samba 3.0.26a. I don't know if this is a good idea, but at least users can't delete files/directories now (I think).
However, the problem still existing with the "hide unreadable = Yes" option. I understand now the behavior. For example, I have two directories in a share directory "groups" with the following ACL entries:
# file: groups# owner: root# group: rootuser::rwxgroup::r-x
group:admins:rwx
group:users:r-x
mask::rwxother::---
# file: dir1# owner: root# group: rootuser::rwxgroup::r-xgroup:admins:rwxmask::rwxother::---
# file: dir2# owner: root# group: rootuser::rwxgroup::---other::---And I have a user "joe" that belongs to the group "users". Then, if "joe" map the share directory, he can see only dir1 and dir2 is not visible for his. Also, "joe" should not see dir1.
Now, if I change the ACL permissions of dir2 to the following:
# file: dir2# owner: root# group: rootuser::rwxgroup::r-xgroup:admins:rwxmask::rwxother::---
"joe" can see (incorrectly) both directories. Believe me, I don't understand. I don't know if this "errors" are for a bad configuration or what...
I'm using: debian etch 4.0r1 amd64, kernel 2.6.18-5-amd64, samba 3.0.26a, XFS file system with acl support and quotas and LDAP for user authentication.
This is my smb.conf:
[global]
workgroup = NT-DEQ
server string = %h server
obey pam restrictions = Yes
passdb backend = ldapsam:ldap://127.0.0.1
passwd program = /usr/sbin/smbldap-passwd '%u'
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
printcap name = cups
add user script = /usr/sbin/smbldap-useradd -a -m -k '%u'
delete user script = /usr/sbin/smbldap-userdel -r '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m -k '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
dns proxy = No
ldap admin dn = cn=admin,dc=upc,dc=es
ldap group suffix = ou=groups
ldap suffix = dc=upc,dc=es
ldap ssl = no
ldap user suffix = ou=users
panic action = /usr/share/samba/panic-action %d
invalid users = root
profile acls = Yes
map acl inherit = Yes
hide unreadable = Yes
map hidden = Yes
[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0700
directory mask = 0700
browseable = No
[groups]
comment = Grups Files
path = /home/groups
read only = No Thank you very much!!! Diego
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
More information about the samba
mailing list