[Samba] force user and read only

Urs Golla urs.golla at gmail.com
Mon Oct 27 05:46:59 GMT 2008


The folder is owned by a local group which belongs to the application.
And I dont want to add developers to this application group. I did it
now with the "force user" option and "read only". This way I can make
sure that they can always read the application logs (because they are
owned by the app user) and they are not allowed to write in to that
share. And I dont have to maintain group memberships, acls or file
permissions.
The more I think about the combination of this 2 options, the more I
like it... :-) Do you see any risk if I force to use root WITH
read-only?

On Fri, Oct 24, 2008 at 4:25 PM, Dennis B. Hopp <dhopp at coreps.com> wrote:
>
>
> On Fri, 2008-10-24 at 17:08 +0200, Urs Golla wrote:
>> This works only if the samba user is also the owner of the file.
>>
>
> Please CC the list so that other users can benefit from this
> conversation and if I'm mistaken, somebody else can correct me.
>
> The users (or groups) will still need file system permissions to access
> the directories/files, regardless of what samba gives them access to.
> So you will need to make sure the permissions on the Linux file system
> allow those users/groups access.
>
> You could place all the developers in a group and give that group read
> access (so mode 740).  And then in the smb.conf file use
>
> valid users = "@MYDOMAIN+DEVELOPERGROUP"
>
> (the @ sign may have to go outside the quotes, I can't remember off the
> top of my head)
>
> Or maybe a better option is the "read list" option instead of "valid
> users"
>
> If you aren't using groups (or need more then one group to access it)
> then you will need to have the file system mounted with the "acl" option
> so that you can place extended acls on the directories for each
> user/group.
>
> --Dennis
>
>> On Fri, Oct 24, 2008 at 5:00 PM, Dennis B. Hopp <dhopp at coreps.com> wrote:
>> >
>> >
>> > On Fri, 2008-10-24 at 08:45 +0200, Urs Golla wrote:
>> >> Hi
>> >>
>> >> I need a share with read-only access for some developers (to read
>> >> logfiles). the logfiles are owned by the application user and group
>> >> and have 700 permissions. I have set up the share like this:
>> >>
>> >>         path = /applicationx/logs
>> >>         read only = Yes
>> >>         valid users =  "MYDOMAIN+DEVELOPER1"
>> >>         force user = applicationx
>> >>
>> >
>> > You shouldn't need the "force user" setting if this is read only.  That
>> > setting is so that samba will force that user to be the owner of any
>> > files written to the share.
>> >
>> > If you want it to be read only, the only thing you should have to set is
>> > "read only = yes".
>> >
>> > --Dennis
>> >
>> >
>
>


More information about the samba mailing list