[Samba] share permissions

Ricky Nance ricky.nance at gmail.com
Tue Aug 20 09:22:13 MDT 2013


Permissions are hard to explain (possibly because I don't fully understand
them myself I guess), but if you have a directory (say /srv) and you give
it 0700 permissions, then only the person that owns that directory is able
to see anything under it, however if you give it 0755, then ANYONE can see
(the second 5 is R-X for everyone) whats in there, now you have a directory
under that, lets call it share, (so /srv/share) and you give it permissions
of 0777, then everyone can read/write in the share folder, but no one can
write to the /srv folder except the owner. So when you had a share under
/home/user (which is typically /home is 755, and the /home/user is 0700)
then no one had access to the underlying directories (even if the
underlying directory is 777, because the user simply can't get to that
point)...

If anyone disagree's or could explain this better please feel free to do
so, I am not opposed to learning new things :)

Ricky


On Tue, Aug 20, 2013 at 10:10 AM, Kevin Field <kev at brantaero.com> wrote:

> Aha!  Moving it worked.  I can now see it from Windows.  If I chmod 777 on
> the directory I can also add files to it from Windows.
>
> However, I don't quite understand why the parent of the share directory
> affects it.  BTW /home/me has 700 permissions and /srv has 755.  If the +x
> on /srv allows the +x on my test share directory to allow Windows to browse
> it, why doesn't the -w on /srv prevent the +w on my test share directory
> from allowing Windows to create files there?  I always thought negative
> permissions took precedence in ACL, generally?
>
> Thanks,
> Kev
>
>
> On 2013-08-20 10:22 AM, Kevin Field wrote:
>
>> Hi Ricky,
>>
>> I don't think I should have to reboot.  setenforce is documented to work
>> without rebooting.  If I need to reboot a Linux server to troubleshoot
>> something like this--and I hear SELinux is often a first thing to try
>> disabling to troubleshoot--then it's worse than Windows for rebooting
>> requirements.  But I'm pretty sure that's simply not true.
>>
>> Otherwise this is meaningless:
>>
>> $ sudo setenforce 0
>> $ sudo getenforce
>> Permissive
>>
>> Also I'm a bit confused as to why the permissions on /home should affect
>> /home/me if I've explicitly set them on /home/me and haven't defined
>> some kind of ACL inheritance policy.  Is it the default that higher
>> directories' permissions override lower ones in CentOS?  Or is it a
>> Samba fileshare thing?  I would like to know exactly how this works, but
>> in any case, I'll try moving the share and see how it goes.
>>
>> Thanks,
>> Kev
>>
>> On 2013-08-17 9:47 AM, Ricky Nance wrote:
>>
>>> Have a look at
>>> http://www.centos.org/docs/5/**html/5.2/Deployment_Guide/sec-**
>>> sel-enable-disable.html<http://www.centos.org/docs/5/html/5.2/Deployment_Guide/sec-sel-enable-disable.html>
>>> and
>>> you will probably have to reboot after making the changes. I have seen
>>> this cause more problems then not, so I would start with disabling it
>>> and see if it fixes your problem. Also since you are using a /home/me
>>> before your share, you need to make sure you have at least 755
>>> permissions in both /home and /home/me, it might be a good idea to make
>>> a directory named /srv/mytestshare instead.
>>>
>>> Ricky
>>>
>>>
>>> On Fri, Aug 16, 2013 at 8:14 PM, Kevin Field <kev at brantaero.com
>>> <mailto:kev at brantaero.com>> wrote:
>>>
>>>     Interestingly, I couldn't turn off selinux using their method:
>>>
>>>     $ sudo echo 0 > /selinux/enforce
>>>     -bash: /selinux/enforce: Permission denied
>>>
>>>     Perhaps it's a CentOS thing.  Anyway, `sudo setenforce 0` seemed to
>>>     work in that it didn't give me an error message, but OTOH didn't
>>>     seem to work in that the output of ls -alhDZ was the same:
>>>
>>>     drwxrwxr-x. me   me  unconfined_u:object_r:samba___**share_t:s0
>>>     mytestshare
>>>
>>>     But in any case, it still gives me the same error from Windows.
>>>
>>>     Also something strange happened, after a while I could not navigate
>>>     to \\newdc without a similar error, but I had not been doing
>>>     anything in the system, so I'm not sure what might have caused it.
>>>       Running `sudo killall samba` and then `sudo samba` made it
>>>     suddenly be browseable again.  Maybe not related...not sure...
>>>
>>>     Anyway thanks for your help, Ricky.  Any other ideas?  BTW I had set
>>>     up the selinux permissions on the mytestshare dir per the HOWTO at
>>>     http://wiki.centos.org/HowTos/**__SetUpSamba<http://wiki.centos.org/HowTos/__SetUpSamba>
>>>     <http://wiki.centos.org/**HowTos/SetUpSamba<http://wiki.centos.org/HowTos/SetUpSamba>>
>>> .  I'm pretty sure that's
>>>     why it says samba_share_t on the ls output above.
>>>
>>>     Kev
>>>
>>>
>>>     On 2013-08-16 11:52 AM, Ricky Nance wrote:
>>>
>>>         Temporarily turn off selinux, if that fixes your issue you will
>>>         need to
>>>         adjust the selinux rules to take care of the problem (or just
>>>         completely
>>>         disable selinux). Also if you do a ls -alhDZ
>>>         /home/me/mytestshare before
>>>         you turn it off it can tell you if selinux is on, then run that
>>>         again
>>>         after its turned off to confirm. You can read about
>>>         disabling/turning
>>>         off selinux
>>>
>>> at�http://www.revsys.com/__**writings/quicktips/turn-off-__**
>>> selinux.html<http://www.revsys.com/__writings/quicktips/turn-off-__selinux.html>
>>>         <http://www.revsys.com/**writings/quicktips/turn-off-**
>>> selinux.html<http://www.revsys.com/writings/quicktips/turn-off-selinux.html>
>>> >
>>>
>>>         Ricky
>>>
>>>
>>>         On Thu, Aug 15, 2013 at 10:44 PM, Kevin Field <kev at brantaero.com
>>>         <mailto:kev at brantaero.com>
>>>         <mailto:kev at brantaero.com <mailto:kev at brantaero.com>>> wrote:
>>>
>>>              I have a share setup on a Samba 4.0.8 / CentOS 6.4 box
>>> that is
>>>              successfully replicating with a W2K3 server. �I'm
>>> following the
>>>              HOWTO here:
>>>
>>> https://wiki.samba.org/index._**___php/Setup_and_configure_**
>>> file_____shares<https://wiki.samba.org/index.____php/Setup_and_configure_file_____shares>
>>>
>>> <https://wiki.samba.org/index.**__php/Setup_and_configure_**
>>> file___shares<https://wiki.samba.org/index.__php/Setup_and_configure_file___shares>
>>> >
>>>
>>>
>>>
>>> <https://wiki.samba.org/index.**__php/Setup_and_configure_**
>>> file___shares<https://wiki.samba.org/index.__php/Setup_and_configure_file___shares>
>>>
>>> <https://wiki.samba.org/index.**php/Setup_and_configure_file_**shares<https://wiki.samba.org/index.php/Setup_and_configure_file_shares>
>>> >>
>>>
>>>              [mytest]
>>>              � � � � path = /home/me/mytestshare <-- with or without
>>>         trailing slash
>>>              � � � � read only = No
>>>
>>>              On the W2K3 box, I can browse to \\newdc and I see my test
>>>         share
>>>              listed there. �I can also see it if I connect to newdc in
>>>         Computer
>>>              Management. �However, what I can't get from either of those
>>>         places
>>>              is a Security tab if I right-click the share and go to
>>>         Properties.
>>>              �There's a Share Permissions tab in CM only that says that
>>>         Everyone
>>>              has Full Control. Despite that, if I try to double-click
>>>         the share
>>>              in Explorer, I get:
>>>
>>>              ---------------------------
>>>              \\newdc
>>>              ---------------------------
>>>              \\newdc\mytest is not accessible. You might not have
>>>         permission to
>>>              use this network resource. Contact the administrator of
>>>         this server
>>>              to find out if you have access permissions.
>>>
>>>              Access is denied.
>>>
>>>              ---------------------------
>>>              OK
>>>              ---------------------------
>>>
>>>              My account has all privileges I can think of, including the
>>>              SeDiskOperatorPrivilege as laid out in the HOWTO.
>>>
>>>              Even if I chmod 777 /home/me/mytestshare I get this error.
>>>
>>>              What am I missing?
>>>
>>>              Thanks,
>>>              Kev
>>>              --
>>>              To unsubscribe from this list go to the following URL and
>>>         read the
>>>              instructions:
>>>https://lists.samba.org/____**mailman/options/samba<https://lists.samba.org/____mailman/options/samba>
>>>         <https://lists.samba.org/__**mailman/options/samba<https://lists.samba.org/__mailman/options/samba>
>>> >
>>>              <https://lists.samba.org/__**mailman/options/samba<https://lists.samba.org/__mailman/options/samba>
>>>         <https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>> >>
>>>
>>>
>>>
>>>


More information about the samba mailing list