[Samba] confirm deletion - possible?

Stefan G. Weichinger lists at xunil.at
Tue Jan 19 10:51:20 UTC 2021

Am 19.01.21 um 11:38 schrieb Andrew Walker:
> On Tue, Jan 19, 2021 at 4:23 AM Stefan G. Weichinger via samba 
> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>     Is it possible and configurable to ask something "are you sure? y/n" if
>     a user wants to delete a file/folder on a samba share?
> Speaking in broad terms, you're up to the mercy of the OS / application 
> developer for the SMB client (or however you're accessing the SMB share) 
> to do this.

The client is a strange piece of software called "MS Windows 10" ;-)

>     Is that possible by using Windows ACLs or ... ?
> Not really possible via ACLs (but I haven't had coffee yet). ACLs just 
> define what a user can do with a file. They don't prompt for 
> confirmation. For example, you can possibly set permissions in a way to 
> create a write-only dropbox for files.

In this case we think of only allowing 2 of the ~10 users to modify the 
top folder structure via ACLs. So something like a group "power users" 
that is allowed more ... and others are only allowed to modify stuff 
below and inside these folders.

I have to add that I run vfs "full_audit" there: these logs help to see 
who messed up what and when.

> Some thoughts:
> vfs_recycle allows you to basically configure a hidden directory at the 
> root of your share that acts as a recycle bin. If users delete a file, 
> it gets moved there. One significant caveat is that if you have for some 
> reason mounted a filesystem within your SMB share and delete a file from 
> it, the deleted file will _not_ appear in the recycle bin. This one 
> should probably be at the end of your list of "vfs objects" if you 
> choose to use it.
> vfs_worm allows you to configure a "grace period" in which files in a 
> share are writable. Once the time difference between the file's ctime 
> and the current time exceeds the amount set as the share's grace period, 
> the file becomes read-only. This is useful if you have a share that's 
> rarely edited after initial upload. An example of this is a repository 
> for digitized images of legal documents. Once they're uploaded, there's 
> little reason for a user to be able to move around, edit, delete, etc.
> vfs_shadow_copy2 allows you to present filesystem snapshots as "previous 
> versions" in windows. If the filesystem on which the share resides 
> supports some lightweight snapshotting mechanism (like ZFS), then you 
> can set a cronjob to snapshot the FS at periodic intervals and basically 
> have "unbreaking things" become self-service for end users. Okay... 
> that's probably too optimistic, but it will make recovery somewhat 
> easier for the admin.

Thanks for the information, I haven't checked the various vfs modules 
lately and some of them might help here. Got to think about it.

More information about the samba mailing list