[Samba] File permissions

John H Terpstra jht at samba.org
Mon Jan 19 20:44:53 GMT 2009

On Monday 19 January 2009 14:29:16 Daniel L. Miller wrote:
> John H Terpstra wrote:
> > On Sunday 18 January 2009 18:38:25 Daniel L. Miller wrote:
> >> Is it possible to define file rights, such that -
> >>
> >> The file is owned by root, with full privleges on the Linux server.
> >> The file is shared by a group "users".
> >> The shared file should be available for read and write access.
> >>
> >> That part's easy - but now....
> >>
> >> Deny delete, overwrite, or rename access to this file.  Is this
> >> possible? --
> >> Daniel
> >
> > Please explain how a user can have write access to a file but not
> > overwrite access?
> >
> > The ability to write implies the ability to change the name as well as
> > the contents of a file.
> >
> > Can you provide a clear description of what you really wish to achieve?
> >
> > - John T.
> Oh - you want me to tell you want I want to do, so you can tell me the
> right way how - instead of helping with the wrong way to do it?  Geez...

Nice try.  I'm only trying to help you.  If a user has write access then the 
file can be overwritten or renamed.  There is no getting around that.

> Ok, since you insist.  I'm trying to accommodate Quickbooks (Enterprise
> Edition).  Users need to be able to open the file for read & write
> access or Quickbooks complains.  However, I don't want the clients to be
> able to destroy the file (outside of Quickbooks).  So I need to allow
> read/write via Samba - but I want to protect the file as much as possible.

If I understand correctly Quickbooks is accessing the files over the Samba 
share. Correct?  If so, then the file must be writable.

Is it necessary for users to update the files within Quickbooks?  I presume 
the answer is: Yes!

If yes, this means the file must actually be writable - there is no escape 
from this need. Right?

If not, then you can use the VFS module 'readonly' to fake read-write but 
actually not allow writing to the share.

> I have the UNIX file owned by root (which the QB SQL server runs as).
> The UNIX group ownership is the windows users.  Setting the UNIX group
> privileges to read only results in QB errors.  So I don't see how to
> protect it just using UNIX privileges - so I thought perhaps there was a
> way via Samba.  I (mis)remember some Windoze ACL's might allow for this
> type of special access control.
> If Quickbooks used a real SQL interface, then it wouldn't be a problem.
> But...it doesn't.

Sorry, I can;t help you there.  Please speak with Quickbooks about your needs. 
That way you might help them to create a case to support other platforms.

John T.

More information about the samba mailing list