[Samba] share permissions

Eduardo Sotomayor easgs at hotmail.com
Thu Aug 22 14:55:11 MDT 2013

I asked something similar a few weeks ago and this is the answer I got

Am 12.08.2013 20:15, schrieb Eduardo Sotomayor:

> I read at the samba4 wiki that to setup a samba4 share you need to


>   Create a folder that you want to


> # mkdir -p /srv/samba/Demo/


>   Add a new share to your smb.conf:


> [Demo]

>       path = /srv/samba/Demo/

>       read only = no



> but what about permission at os level? I mean do I have to chmod 770

> or chmod 2770 the folder or else?

> I read somewhere that it was necessary to chmod 777 but that configuration
is very unsecure at os level.



The ACLs on the share/filesystem are now fully manageable through 

windows. The filesystem ACLs are stored in extended attributes (that's 

why you need an filesystem supporting ext. ACLs).

What I understand from this answer is that no matter what the permissions are
at linux os level.

>No problem, glad its working :)


>On Thu, Aug 22, 2013 at 11:59 AM, Kevin Field <kev at brantaero.com> wrote:

> Oh, I see.  At first I read it as /home/me/srv.  Gotcha.  It works! Thanks
> very much Ricky!  -K
> On 2013-08-22 12:49 PM, Ricky Nance wrote:
>> It looks at all of them, but the important thing is that its 0755 all
>> the way to the folder being used (if there is any XXX0 permissions on
>> the way to the folder it will cause things to fail, which is the case
>> with the 'me' part of /home/me/share as it has 0700 permissions).
>> On Thu, Aug 22, 2013 at 10:54 AM, Kevin Field <kev at brantaero.com
>> <mailto:kev at brantaero.com>> wrote:
>>     Oh, so it only looks at the immediate parent's permissions?  Not the
>>     grandparent?  I find that even more bewildering but a whole lot
>>     easier to work with if that's the case :)
>>     Thanks,
>>     Kev
>>     On 2013-08-22 11:44 AM, Ricky Nance wrote:
>>         No, you can use /home/srv/share as long as srv (under home) is 755
>>         permissions. Samba does run as root, but it also still obeys the
>>         rules
>>         underlying file system.
>>         Ricky
>>         On Thu, Aug 22, 2013 at 10:19 AM, Kevin Field <kev at brantaero.com
>>         <mailto:kev at brantaero.com>
>>         <mailto:kev at brantaero.com <mailto:kev at brantaero.com>>> wrote:
>>              I can understand that.
>>              However, I'm a bit confused about how this is supposed to be
>>              practical in the case of Samba.  Samba runs as root, so it
>>         can see
>>              everything. I'm telling it to share a particular folder.
>>           Why should
>>              it look at the ACLs of folders above that, when there's no
>>         way they
>>              will be otherwise accessible via Samba?
>>              The reason I bother with this question is that /home and
>>         /srv are on
>>              two different partitions.  I set it up so that the bulk of
>>         space
>>              would be available under /home.  Okay, so it sounds like
>>         links can
>>              come to rescue here.  I dig around and it seems that hard
>>         links on
>>              directories have not been allowed since the 70's.  Symbolic
>>         links
>>              could work, but if you enable the following of symbolic
>>         links in
>>              smb.conf, it can open up security holes.  So to me it seems
>>         there's
>>              no workaround for a design that doesn't make sense in the
>> first
>>              place (checking the ACLs of parent directories even if
>>         you're root
>>              and they're irrelevant to the application of sharing the
>> given
>>              directory.)
>>              Am I missing something?
>>              Thanks,
>>              Kev
>>              On 2013-08-20 11:22 AM, Ricky Nance wrote:
>>                  Permissions are hard to explain (possibly because I
>>         don't fully
>>                  understand them myself I guess), but if you have a
>>         directory
>>                  (say /srv)
>>                  and you give it 0700 permissions, then only the person
>>         that owns
>>                  that
>>                  directory is able to see anything under it, however if
>>         you give
>>                  it 0755,
>>                  then ANYONE can see (the second 5 is R-X for everyone)
>>         whats in
>>                  there,
>>                  now you have a directory under that, lets call it
>>         share, (so
>>                  /srv/share)
>>                  and you give it permissions of 0777, then everyone can
>>                  read/write in the
>>                  share folder, but no one can write to the /srv folder
>>         except the
>>                  owner.
>>                  So when you had a share under /home/user (which is
>>         typically
>>                  /home is
>>                  755, and the /home/user is 0700) then no one had access
>>         to the
>>                  underlying directories (even if the underlying
>>         directory is 777,
>>                  because
>>                  the user simply can't get to that point)...
>>                  If anyone disagree's or could explain this better
>>         please feel
>>                  free to do
>>                  so, I am not opposed to learning new things :)
>>                  Ricky

More information about the samba mailing list