[Samba] share permissions

Ricky Nance ricky.nance at gmail.com
Thu Aug 22 10:49:18 MDT 2013


It looks at all of them, but the important thing is that its 0755 all the
way to the folder being used (if there is any XXX0 permissions on the way
to the folder it will cause things to fail, which is the case with the 'me'
part of /home/me/share as it has 0700 permissions).


On Thu, Aug 22, 2013 at 10:54 AM, Kevin Field <kev at brantaero.com> wrote:

> Oh, so it only looks at the immediate parent's permissions?  Not the
> grandparent?  I find that even more bewildering but a whole lot easier to
> work with if that's the case :)
>
> Thanks,
> Kev
>
>
> On 2013-08-22 11:44 AM, Ricky Nance wrote:
>
>> No, you can use /home/srv/share as long as srv (under home) is 755
>> permissions. Samba does run as root, but it also still obeys the rules
>> underlying file system.
>>
>> Ricky
>>
>>
>> On Thu, Aug 22, 2013 at 10:19 AM, Kevin Field <kev at brantaero.com
>> <mailto:kev at brantaero.com>> wrote:
>>
>>     I can understand that.
>>
>>     However, I'm a bit confused about how this is supposed to be
>>     practical in the case of Samba.  Samba runs as root, so it can see
>>     everything. I'm telling it to share a particular folder.  Why should
>>     it look at the ACLs of folders above that, when there's no way they
>>     will be otherwise accessible via Samba?
>>
>>     The reason I bother with this question is that /home and /srv are on
>>     two different partitions.  I set it up so that the bulk of space
>>     would be available under /home.  Okay, so it sounds like links can
>>     come to rescue here.  I dig around and it seems that hard links on
>>     directories have not been allowed since the 70's.  Symbolic links
>>     could work, but if you enable the following of symbolic links in
>>     smb.conf, it can open up security holes.  So to me it seems there's
>>     no workaround for a design that doesn't make sense in the first
>>     place (checking the ACLs of parent directories even if you're root
>>     and they're irrelevant to the application of sharing the given
>>     directory.)
>>
>>     Am I missing something?
>>
>>     Thanks,
>>     Kev
>>
>>
>>     On 2013-08-20 11:22 AM, Ricky Nance wrote:
>>
>>         Permissions are hard to explain (possibly because I don't fully
>>         understand them myself I guess), but if you have a directory
>>         (say /srv)
>>         and you give it 0700 permissions, then only the person that owns
>>         that
>>         directory is able to see anything under it, however if you give
>>         it 0755,
>>         then ANYONE can see (the second 5 is R-X for everyone) whats in
>>         there,
>>         now you have a directory under that, lets call it share, (so
>>         /srv/share)
>>         and you give it permissions of 0777, then everyone can
>>         read/write in the
>>         share folder, but no one can write to the /srv folder except the
>>         owner.
>>         So when you had a share under /home/user (which is typically
>>         /home is
>>         755, and the /home/user is 0700) then no one had access to the
>>         underlying directories (even if the underlying directory is 777,
>>         because
>>         the user simply can't get to that point)...
>>
>>         If anyone disagree's or could explain this better please feel
>>         free to do
>>         so, I am not opposed to learning new things :)
>>
>>         Ricky
>>
>>
>>         On Tue, Aug 20, 2013 at 10:10 AM, Kevin Field <kev at brantaero.com
>>         <mailto:kev at brantaero.com>
>>         <mailto:kev at brantaero.com <mailto:kev at brantaero.com>>> wrote:
>>
>>              Aha!  Moving it worked.  I can now see it from Windows.  If
>>         I chmod
>>              777 on the directory I can also add files to it from Windows.
>>
>>              However, I don't quite understand why the parent of the share
>>              directory affects it.  BTW /home/me has 700 permissions and
>>         /srv has
>>              755.  If the +x on /srv allows the +x on my test share
>>         directory to
>>              allow Windows to browse it, why doesn't the -w on /srv
>>         prevent the
>>              +w on my test share directory from allowing Windows to
>>         create files
>>              there?  I always thought negative permissions took
>>         precedence in
>>              ACL, generally?
>>
>>              Thanks,
>>              Kev
>>
>>
>>              On 2013-08-20 10:22 AM, Kevin Field wrote:
>>
>>                  Hi Ricky,
>>
>>                  I don't think I should have to reboot.  setenforce is
>>         documented
>>                  to work
>>                  without rebooting.  If I need to reboot a Linux server to
>>                  troubleshoot
>>                  something like this--and I hear SELinux is often a
>>         first thing
>>                  to try
>>                  disabling to troubleshoot--then it's worse than Windows
>> for
>>                  rebooting
>>                  requirements.  But I'm pretty sure that's simply not
>> true.
>>
>>                  Otherwise this is meaningless:
>>
>>                  $ sudo setenforce 0
>>                  $ sudo getenforce
>>                  Permissive
>>
>>                  Also I'm a bit confused as to why the permissions on
>> /home
>>                  should affect
>>                  /home/me if I've explicitly set them on /home/me and
>>         haven't defined
>>                  some kind of ACL inheritance policy.  Is it the default
>>         that higher
>>                  directories' permissions override lower ones in CentOS?
>>           Or is it a
>>                  Samba fileshare thing?  I would like to know exactly
>>         how this
>>                  works, but
>>                  in any case, I'll try moving the share and see how it
>> goes.
>>
>>                  Thanks,
>>                  Kev
>>
>>                  On 2013-08-17 9:47 AM, Ricky Nance wrote:
>>
>>                      Have a look at
>>         http://www.centos.org/docs/5/_**___html/5.2/Deployment_Guide/_**
>> _sec-__sel-enable-disable.html<http://www.centos.org/docs/5/____html/5.2/Deployment_Guide/__sec-__sel-enable-disable.html>
>>         <http://www.centos.org/docs/5/**__html/5.2/Deployment_Guide/**
>> sec-__sel-enable-disable.html<http://www.centos.org/docs/5/__html/5.2/Deployment_Guide/sec-__sel-enable-disable.html>
>> >
>>
>>
>>
>>         <http://www.centos.org/docs/5/**__html/5.2/Deployment_Guide/**
>> sec-__sel-enable-disable.html<http://www.centos.org/docs/5/__html/5.2/Deployment_Guide/sec-__sel-enable-disable.html>
>>         <http://www.centos.org/docs/5/**html/5.2/Deployment_Guide/sec-**
>> sel-enable-disable.html<http://www.centos.org/docs/5/html/5.2/Deployment_Guide/sec-sel-enable-disable.html>
>> >>
>>                      and
>>                      you will probably have to reboot after making the
>>         changes. I
>>                      have seen
>>                      this cause more problems then not, so I would start
>>         with
>>                      disabling it
>>                      and see if it fixes your problem. Also since you
>>         are using a
>>                      /home/me
>>                      before your share, you need to make sure you have
>>         at least 755
>>                      permissions in both /home and /home/me, it might be
>>         a good
>>                      idea to make
>>                      a directory named /srv/mytestshare instead.
>>
>>                      Ricky
>>
>>
>>                      On Fri, Aug 16, 2013 at 8:14 PM, Kevin Field
>>                      <kev at brantaero.com <mailto:kev at brantaero.com>
>>         <mailto:kev at brantaero.com <mailto:kev at brantaero.com>>
>>                      <mailto:kev at brantaero.com
>>         <mailto:kev at brantaero.com> <mailto:kev at brantaero.com
>>         <mailto:kev at brantaero.com>>>> wrote:
>>
>>                           Interestingly, I couldn't turn off selinux
>>         using their
>>                      method:
>>
>>                           $ sudo echo 0 > /selinux/enforce
>>                           -bash: /selinux/enforce: Permission denied
>>
>>                           Perhaps it's a CentOS thing.  Anyway, `sudo
>>         setenforce
>>                      0` seemed to
>>                           work in that it didn't give me an error
>>         message, but
>>                      OTOH didn't
>>                           seem to work in that the output of ls -alhDZ
>>         was the same:
>>
>>                           drwxrwxr-x. me   me
>>                        unconfined_u:object_r:samba___**____share_t:s0
>>
>>
>>                           mytestshare
>>
>>                           But in any case, it still gives me the same
>>         error from
>>                      Windows.
>>
>>                           Also something strange happened, after a while
>>         I could
>>                      not navigate
>>                           to \\newdc without a similar error, but I had
>>         not been
>>                      doing
>>                           anything in the system, so I'm not sure what
>>         might have
>>                      caused it.
>>                             Running `sudo killall samba` and then `sudo
>>         samba`
>>                      made it
>>                           suddenly be browseable again.  Maybe not
>>         related...not
>>                      sure...
>>
>>                           Anyway thanks for your help, Ricky.  Any other
>>         ideas?
>>                        BTW I had set
>>                           up the selinux permissions on the mytestshare
>>         dir per
>>                      the HOWTO at
>>         http://wiki.centos.org/HowTos/**______SetUpSamba<http://wiki.centos.org/HowTos/______SetUpSamba>
>>         <http://wiki.centos.org/**HowTos/____SetUpSamba<http://wiki.centos.org/HowTos/____SetUpSamba>
>> >
>>                      <http://wiki.centos.org/__**HowTos/__SetUpSamba<http://wiki.centos.org/__HowTos/__SetUpSamba>
>>         <http://wiki.centos.org/**HowTos/__SetUpSamba<http://wiki.centos.org/HowTos/__SetUpSamba>
>> >>
>>                           <http://wiki.centos.org/____**HowTos/SetUpSamba<http://wiki.centos.org/____HowTos/SetUpSamba>
>>         <http://wiki.centos.org/__**HowTos/SetUpSamba<http://wiki.centos.org/__HowTos/SetUpSamba>
>> >
>>
>>
>>                      <http://wiki.centos.org/__**HowTos/SetUpSamba<http://wiki.centos.org/__HowTos/SetUpSamba>
>>         <http://wiki.centos.org/**HowTos/SetUpSamba<http://wiki.centos.org/HowTos/SetUpSamba>>>>
>> .  I'm pretty
>>                      sure that's
>>                           why it says samba_share_t on the ls output
>> above.
>>
>>                           Kev
>>
>>
>>                           On 2013-08-16 11:52 AM, Ricky Nance wrote:
>>
>>                               Temporarily turn off selinux, if that
>>         fixes your
>>                      issue you will
>>                               need to
>>                               adjust the selinux rules to take care of the
>>                      problem (or just
>>                               completely
>>                               disable selinux). Also if you do a ls -alhDZ
>>                               /home/me/mytestshare before
>>                               you turn it off it can tell you if selinux
>>         is on,
>>                      then run that
>>                               again
>>                               after its turned off to confirm. You can
>>         read about
>>                               disabling/turning
>>                               off selinux
>>
>>
>>         at�http://www.revsys.com/_____**_writings/quicktips/turn-off-_**
>> _____selinux.html<http://www.revsys.com/______writings/quicktips/turn-off-______selinux.html>
>>         <http://www.revsys.com/____**writings/quicktips/turn-off-__**
>> __selinux.html<http://www.revsys.com/____writings/quicktips/turn-off-____selinux.html>
>> >
>>
>>
>>         <http://www.revsys.com/____**writings/quicktips/turn-off-__**
>> __selinux.html<http://www.revsys.com/____writings/quicktips/turn-off-____selinux.html>
>>         <http://www.revsys.com/__**writings/quicktips/turn-off-__**
>> selinux.html<http://www.revsys.com/__writings/quicktips/turn-off-__selinux.html>
>> >>
>>
>>
>>
>>         <http://www.revsys.com/____**writings/quicktips/turn-off-__**
>> __selinux.html<http://www.revsys.com/____writings/quicktips/turn-off-____selinux.html>
>>         <http://www.revsys.com/__**writings/quicktips/turn-off-__**
>> selinux.html<http://www.revsys.com/__writings/quicktips/turn-off-__selinux.html>
>> >
>>
>>         <http://www.revsys.com/__**writings/quicktips/turn-off-__**
>> selinux.html<http://www.revsys.com/__writings/quicktips/turn-off-__selinux.html>
>>         <http://www.revsys.com/**writings/quicktips/turn-off-**
>> selinux.html<http://www.revsys.com/writings/quicktips/turn-off-selinux.html>
>> >>>
>>
>>                               Ricky
>>
>>
>>                               On Thu, Aug 15, 2013 at 10:44 PM, Kevin
>> Field
>>                      <kev at brantaero.com <mailto:kev at brantaero.com>
>>         <mailto:kev at brantaero.com <mailto:kev at brantaero.com>>
>>                               <mailto:kev at brantaero.com
>>         <mailto:kev at brantaero.com> <mailto:kev at brantaero.com
>>         <mailto:kev at brantaero.com>>>
>>                               <mailto:kev at brantaero.com
>>         <mailto:kev at brantaero.com>
>>                      <mailto:kev at brantaero.com
>>         <mailto:kev at brantaero.com>> <mailto:kev at brantaero.com
>>         <mailto:kev at brantaero.com>
>>                      <mailto:kev at brantaero.com
>>         <mailto:kev at brantaero.com>>>>> wrote:
>>
>>                                    I have a share setup on a Samba 4.0.8
>>         / CentOS
>>                      6.4 box
>>                      that is
>>                                    successfully replicating with a W2K3
>>         server. �I'm
>>                      following the
>>                                    HOWTO here:
>>
>>         https://wiki.samba.org/index._**_______php/Setup_and_**
>> configure_____file_____shares<https://wiki.samba.org/index.________php/Setup_and_configure_____file_____shares>
>>         <https://wiki.samba.org/index.**______php/Setup_and_configure_**
>> __file_____shares<https://wiki.samba.org/index.______php/Setup_and_configure___file_____shares>
>> >
>>
>>         <https://wiki.samba.org/index.**______php/Setup_and_configure_**
>> __file_____shares<https://wiki.samba.org/index.______php/Setup_and_configure___file_____shares>
>>         <https://wiki.samba.org/index.**____php/Setup_and_configure_**
>> file_____shares<https://wiki.samba.org/index.____php/Setup_and_configure_file_____shares>
>> >>
>>
>>
>>         <https://wiki.samba.org/index.**______php/Setup_and_configure_**
>> ____file___shares<https://wiki.samba.org/index.______php/Setup_and_configure_____file___shares>
>>         <https://wiki.samba.org/index.**____php/Setup_and_configure___**
>> file___shares<https://wiki.samba.org/index.____php/Setup_and_configure___file___shares>
>> >
>>
>>         <https://wiki.samba.org/index.**____php/Setup_and_configure___**
>> file___shares<https://wiki.samba.org/index.____php/Setup_and_configure___file___shares>
>>         <https://wiki.samba.org/index.**__php/Setup_and_configure_**
>> file___shares<https://wiki.samba.org/index.__php/Setup_and_configure_file___shares>
>> >>>
>>
>>
>>
>>
>>         <https://wiki.samba.org/index.**______php/Setup_and_configure_**
>> ____file___shares<https://wiki.samba.org/index.______php/Setup_and_configure_____file___shares>
>>         <https://wiki.samba.org/index.**____php/Setup_and_configure___**
>> file___shares<https://wiki.samba.org/index.____php/Setup_and_configure___file___shares>
>> >
>>
>>
>>
>>         <https://wiki.samba.org/index.**____php/Setup_and_configure___**
>> file___shares<https://wiki.samba.org/index.____php/Setup_and_configure___file___shares>
>>         <https://wiki.samba.org/index.**__php/Setup_and_configure_**
>> file___shares<https://wiki.samba.org/index.__php/Setup_and_configure_file___shares>
>> >>
>>
>>
>>         <https://wiki.samba.org/index.**____php/Setup_and_configure___**
>> file___shares<https://wiki.samba.org/index.____php/Setup_and_configure___file___shares>
>>         <https://wiki.samba.org/index.**__php/Setup_and_configure_**
>> file___shares<https://wiki.samba.org/index.__php/Setup_and_configure_file___shares>
>> >
>>
>>         <https://wiki.samba.org/index.**__php/Setup_and_configure_**
>> file___shares<https://wiki.samba.org/index.__php/Setup_and_configure_file___shares>
>>         <https://wiki.samba.org/index.**php/Setup_and_configure_file_**
>> shares <https://wiki.samba.org/index.php/Setup_and_configure_file_shares>
>> >>>>
>>
>>                                    [mytest]
>>                                    � � � � path = /home/me/mytestshare
>>         <-- with
>>                      or without
>>                               trailing slash
>>                                    � � � � read only = No
>>
>>                                    On the W2K3 box, I can browse to
>>         \\newdc and I
>>                      see my test
>>                               share
>>                                    listed there. �I can also see it if I
>>         connect
>>                      to newdc in
>>                               Computer
>>                                    Management. �However, what I can't
>>         get from
>>                      either of those
>>                               places
>>                                    is a Security tab if I right-click
>>         the share
>>                      and go to
>>                               Properties.
>>                                    �There's a Share Permissions tab in
>>         CM only
>>                      that says that
>>                               Everyone
>>                                    has Full Control. Despite that, if I
>>         try to
>>                      double-click
>>                               the share
>>                                    in Explorer, I get:
>>
>>                                    ---------------------------
>>                                    \\newdc
>>                                    ---------------------------
>>                                    \\newdc\mytest is not accessible. You
>>         might
>>                      not have
>>                               permission to
>>                                    use this network resource. Contact the
>>                      administrator of
>>                               this server
>>                                    to find out if you have access
>>         permissions.
>>
>>                                    Access is denied.
>>
>>                                    ---------------------------
>>                                    OK
>>                                    ---------------------------
>>
>>                                    My account has all privileges I can
>>         think of,
>>                      including the
>>                                    SeDiskOperatorPrivilege as laid out
>>         in the HOWTO.
>>
>>                                    Even if I chmod 777
>>         /home/me/mytestshare I get
>>                      this error.
>>
>>                                    What am I missing?
>>
>>                                    Thanks,
>>                                    Kev
>>                                    --
>>                                    To unsubscribe from this list go to the
>>                      following URL and
>>                               read the
>>                                    instructions:
>>
>>
>>https://lists.samba.org/_____**___mailman/options/samba<https://lists.samba.org/________mailman/options/samba>
>>         <https://lists.samba.org/_____**_mailman/options/samba<https://lists.samba.org/______mailman/options/samba>
>> >
>>
>>
>>         <https://lists.samba.org/_____**_mailman/options/samba<https://lists.samba.org/______mailman/options/samba>
>>         <https://lists.samba.org/____**mailman/options/samba<https://lists.samba.org/____mailman/options/samba>
>> >>
>>
>>
>>           <https://lists.samba.org/_____**_mailman/options/samba<https://lists.samba.org/______mailman/options/samba>
>>         <https://lists.samba.org/____**mailman/options/samba<https://lists.samba.org/____mailman/options/samba>
>> >
>>                      <https://lists.samba.org/____**mailman/options/samba<https://lists.samba.org/____mailman/options/samba>
>>         <https://lists.samba.org/__**mailman/options/samba<https://lists.samba.org/__mailman/options/samba>
>> >>>
>>
>>
>>         <https://lists.samba.org/_____**_mailman/options/samba<https://lists.samba.org/______mailman/options/samba>
>>         <https://lists.samba.org/____**mailman/options/samba<https://lists.samba.org/____mailman/options/samba>
>> >
>>                      <https://lists.samba.org/____**mailman/options/samba<https://lists.samba.org/____mailman/options/samba>
>>         <https://lists.samba.org/__**mailman/options/samba<https://lists.samba.org/__mailman/options/samba>
>> >>
>>
>>           <https://lists.samba.org/____**mailman/options/samba<https://lists.samba.org/____mailman/options/samba>
>>         <https://lists.samba.org/__**mailman/options/samba<https://lists.samba.org/__mailman/options/samba>
>> >
>>                      <https://lists.samba.org/__**mailman/options/samba<https://lists.samba.org/__mailman/options/samba>
>>         <https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>> >>>>
>>
>>
>>
>>
>>
>>


More information about the samba mailing list