[Samba] Is “obey pam restrictions” still supposed to work in Samba 4?
Jeremy Allison
jra at samba.org
Thu Feb 11 20:22:05 UTC 2021
On Thu, Feb 11, 2021 at 05:30:37PM +0100, Chentao Credungtao wrote:
>Hi Andrew
>
>Thanks again for you help
>
>FYI, I think I found a solution to achieve my goal and prevent some
>users from storing files over a given size on a Samba server. I did
>some tests, it seems to work. I'm wondering if you see any potential
>negative side effects.
>
>Let's say I have shared /srv/test on my Samba file server. Basically,
>all I did was :
>
>1°/ # apt-get install bindfs
>
>2°/ Put the following instructions in a start script (for example
>/etc/rc.local on my Debian) :
>(ulimit -S -f 102400; ulimit -H -f 102400; trap '' XFSZ; bindfs
>/srv/test/ /srv/test/)
>
>Basically this opens a subshell, sets a 100MB limit for the subshell,
>traps the XFSZ signal, and mounts a FUSE file system from /srv/test to
>itself (with the 100MB limit still valid).
>
>It works even better through Windows/Samba than directly from the
>shell. From the shell, a copy command of a file over 100MB creates a
>100MB truncated file. But from Windows through Samba, the file isn't
>created at all, which is what I want.
>
>Windows' error message doesn't reflect the 100MB limitation (it says
>not enough space), but apart of that it seems to do the job.
>
>---
>
>I can even prevent some users from storing big files, while allowing
>others. For that, I don't share /srv/test/, but I share
>/srv/test-restricted/ and /srv/test-unrestricted. Then I mount both
>shared folders on /srv/test, one with limitations, once without
>limitations :
>
>(ulimit -S -f 102400; ulimit -H -f 102400; trap '' XFSZ; bindfs
>/srv/test/ /srv/test-restricted/)
>bindfs /srv/test/ /srv/test-unrestricted/
>
>Easy !
>
>---
>
>Can you see any potential side effects ? Any reason NOT to use this
>solution ?
No, this looks like a great solution ! I'm eventually
thinking bindfs can be used to allow us to remove the horrible
"widelinks = yes" parameter, as it can do everything that
nasty parameter can do, but in a more controlled mannor.
More information about the samba
mailing list