Samba Permissions
Eric Cope
eric.cope at gmail.com
Mon Mar 16 08:48:51 MST 2009
Sorry for the late reply:
The Linux permissions include:
/ipc group:ipc user:ipc
/ipc/ipc group:ipc user: ipc
/ipc/cbs group: cbs user:cbs
Two companies (IPC, CBS) get each folder. IPC employees don't need access to
cbs, but cbs needs access to ipc. I created CBS users and added them to the
cbs group, the ipc group, and the ipc-users group. I chmoded everything to
770. The users didn't have access. Below are my samba settings
[ipc]
path = /ipc
read only = no
create mask = 0775
valid users = @ipc-users
If I chmod to 777, they have access, if they change it to 770, they don't,
making me thing I don't have the groups properly setup. if I run "groups
<some_user>", it shows the correct groups added.
Thanks,
Eric
On Fri, Mar 13, 2009 at 8:38 PM, keith smith <klsmith2020 at yahoo.com> wrote:
>
> My configuration looks slightly different
>
> [bill]
> path = /work/bill
> writeable = yes
> browseable = yes
> valid users = bill
>
> The directory is owned by bill:bill with permissions at 755 which I think
> is the default permissions.
>
> If I recall correctly when you try to map the drive in Windows you will be
> promoted for the password. And every time there after.
>
>
> ------------------------
> Keith
>
>
> --- On *Fri, 3/13/09, Lisa Kachold <lisakachold at obnosis.com>* wrote:
>
> From: Lisa Kachold <lisakachold at obnosis.com>
> Subject: RE: Samba Permissions
> To: plug-discuss at lists.plug.phoenix.az.us
> Date: Friday, March 13, 2009, 7:14 PM
>
>
> Eric Wrote:
>
> Hello all,
> I have a FreeBSD box running Samba. I have the permission set to 0770 so
> anyone in the group can read, write, or execute. I can create files via the
> shell. However, I can't write anything without 777 permissions. Any ideas?
> I'd rather not leave permissions like that.
> Thanks,
> Eric
>
> Lisa responds:
>
>
>
>
> A complete discussion of SAMBA permissions, like all security is going to
> have to be in context. I.E. do you have shell users on this box? What are
> you sharing and how do you need to limit it?
>
> Generally what escapes people starting to play with SAMBA is that security
> is two tiered:
>
> (a) Linux *system permissions take precedence over Samba permissions*. For
> example if a directory does not have Linux write permission, setting samba
> writeable = Yes (see below) will not allow to write to shared directory /
> share. (b) The *filesystem permission cannot be take priority over Samba
> permission.* For example if filesystem mounted as readonly setting
> writeable = Yes will not allow to write to any shared directory or share via
> samba server.
> In short:
> Limits set by kernel-level access control such as file permissions, file
> system mount options, ACLs, and SELinux policies cannot be overridden by
> Samba. Both the kernel and Samba must permit the user to perform an action
> on a file before that action can occur.
> Samba Share Permission HowTo: Samba Basic permissions are as follows
> (configuration file is smb.conf [/etc/samba/smb.conf]):
>
> - *read only*: This parameter controls whether an user has the ability
> to create or modify files within a share. This is default.
> - *guest ok*: Uf this parameter is set to yes, the users will have
> access to the share without
> having to enter a password. This can pose security risk.
> - *writeable*: Specifies users should have write access to the share.
>
> You can create the share called "foofiles" with read only permission
>
> [foofiles]
> path = /usr/share/docs
> read only = Yes
>
> You can create the share called salesdoc with write permission
> [salesdoc]
> path = /home/shared/sales
> writeable = Yes
>
> You can also create a list of users to give write access to the share with
> *write list* option. For example allow rocky and tony to write to the
> share called sales:
> [salesdoc]
> path = /home/shared/sales
> write list = rocky tony
>
> You can use following options
>
> - *read list*: This option accepts a list of usernames or a group as
> its value. Users will be given read-only access to the share.
> - *valid users*: You can make a share available to specific users.
> Usernames or group names can be passed on as its value.
> - *invalid users*: Users or groups listed will be denied access to this
> share.
>
> Samba masks:
> Specify samba default file creation permission using mask.
>
> - *create mask*: This option is set using an octal value when setting
> permissions for files.
> - *directory mask*: Directories must have the execute bit for proper
> access. Default parameter is 0755.
>
>
> [salesdoc]
> path = /home/shared/sales
> write list = rocky sys
> create mask = 0775
>
> excerpted from:
> http://www.cyberciti.biz/tips/how-do-i-set-permissions-to-samba-shares.html
>
> *<joke>ERIC: Post your configuration with a complete diagram of your
> network and use? </joke>*
>
> Nosis <http://en.wikipedia.org/wiki/User:Lisa_Kachold>| Obnosis<http://www.obnosis.com/>| (503)754-4452
> PLUG <http://http//plug.phoenix.az.us> Linux Security Labs<http://uat.edu/>2nd Saturday Each Month at Noon- 3PM
>
> ------------------------------
> Express your personality in color! Preview and select themes for Hotmail®. See
> how.<http://www.windowslive-hotmail.com/LearnMore/personalize.aspx?ocid=TXT_MSGTX_WL_HM_express_032009#colortheme>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090316/1b3e2419/attachment.htm
More information about the PLUG-discuss
mailing list