Samba Permissions

Eric Shubert ejs at shubes.net
Mon Mar 16 09:40:13 MST 2009 

Shouldn't that be:
valid users = @ipc
??

Eric Cope wrote:
> Sorry for the late reply:
> 
> The Linux permissions include:
> 
> /ipc  group:ipc user:ipc
> 
> /ipc/ipc group:ipc user: ipc
> /ipc/cbs group: cbs user:cbs
> 
> Two companies (IPC, CBS) get each folder. IPC employees don't need 
> access to cbs, but cbs needs access to ipc. I created CBS users and 
> added them to the cbs group, the ipc group, and the ipc-users group. I 
> chmoded everything to 770. The users didn't have access. Below are my 
> samba settings
> 
> [ipc]
> path = /ipc
> read only = no
> create mask = 0775
> valid users = @ipc-users
> 
> If I chmod to 777, they have access, if they change it to 770, they 
> don't, making me thing I don't have the groups properly setup. if I run 
> "groups <some_user>", it shows the correct groups added.
> 
> Thanks,
> Eric
> 
> On Fri, Mar 13, 2009 at 8:38 PM, keith smith <klsmith2020 at yahoo.com 
> <mailto:klsmith2020 at yahoo.com>> wrote:
> 
> 
>     My configuration looks slightly different
> 
>     [bill]
>             path = /work/bill
>             writeable = yes
>             browseable = yes
>             valid users = bill
> 
>     The directory is owned by bill:bill with permissions at 755 which I
>     think is the default permissions.
> 
>     If I recall correctly when you try to map the drive in Windows you
>     will be promoted for the password.  And every time there after.
> 
> 
>     ------------------------
>     Keith
> 
> 
>     --- On *Fri, 3/13/09, Lisa Kachold /<lisakachold at obnosis.com
>     <mailto:lisakachold at obnosis.com>>/* wrote:
> 
>         From: Lisa Kachold <lisakachold at obnosis.com
>         <mailto:lisakachold at obnosis.com>>
>         Subject: RE: Samba Permissions
>         To: plug-discuss at lists.plug.phoenix.az.us
>         <mailto:plug-discuss at lists.plug.phoenix.az.us>
>         Date: Friday, March 13, 2009, 7:14 PM
> 
> 
>         Eric Wrote:
> 
>         Hello all,
>         I have a FreeBSD box running Samba. I have the permission set to
>         0770 so anyone in the group can read, write, or execute. I can
>         create files via the shell. However, I can't write anything
>         without 777 permissions. Any ideas? I'd rather not leave
>         permissions like that.
>         Thanks,
>         Eric
> 
>         Lisa responds:
> 
> 
> 
> 
>         A complete discussion of SAMBA permissions, like all security is
>         going to have to be in context.  I.E. do you have shell users on
>         this box?  What are you sharing and how do you need to limit it?
> 
>         Generally what escapes people starting to play with SAMBA is
>         that security is two tiered:
> 
>         (a) Linux *system permissions take precedence over Samba
>         permissions*. For example if a directory does not have Linux
>         write permission, setting samba writeable = Yes (see below) will
>         not allow to write to shared directory / share. (b) The
>         *filesystem permission cannot be take priority over Samba
>         permission.* For example if filesystem mounted as readonly
>         setting writeable = Yes will not allow to write to any shared
>         directory or share via samba server.
>         In short:
>         Limits set by kernel-level access control such as file
>         permissions, file system mount options, ACLs, and SELinux
>         policies cannot be overridden by Samba.  Both the kernel and
>         Samba must permit the user to perform an action on a file before
>         that action can occur.
> 
> 
>               Samba Share Permission HowTo:
> 
>         Samba Basic permissions are as follows (configuration file is
>         smb.conf [/etc/samba/smb.conf]):
> 
>             * *read only*: This parameter controls whether an user has
>               the ability to create or modify files within a share. This
>               is default.
>             * *guest ok*: Uf this parameter is set to yes, the users
>               will have access to the share without
>               having to enter a password. This can pose security risk.
>             * *writeable*: Specifies users should have write access to
>               the share. 
> 
>         You can create the share called "foofiles" with read only permission
>         ||
>         |[foofiles]
>         path = /usr/share/docs
>         read only = Yes
>         |
>         You can create the share called salesdoc with write permission
>         |[salesdoc]
>         path = /home/shared/sales
>         writeable = Yes
>         |
>         You can also create a list of users to give write access to the
>         share with *write list* option. For example allow rocky and tony
>         to write to the share called sales:
>         |[salesdoc]
>         path = /home/shared/sales
>         write list = rocky tony
>         |
>         You can use following options
> 
>             * *read list*: This option accepts a list of usernames or a
>               group as its value. Users will be given read-only access
>               to the share.
>             * *valid users*: You can make a share available to specific
>               users. Usernames or group names can be passed on as its value.
>             * *invalid users*: Users or groups listed will be denied
>               access to this share.
> 
> 
>               Samba masks:
> 
>         Specify samba default file creation permission using mask.
> 
>             * *create mask*: This option is set using an octal value
>               when setting permissions for files.
>             * *directory mask*: Directories must have the execute bit
>               for proper access. Default parameter is 0755.
> 
>         |
>         [salesdoc]
>         path = /home/shared/sales
>         write list = rocky sys
>         create mask = 0775|
> 
>         excerpted from:
>         http://www.cyberciti.biz/tips/how-do-i-set-permissions-to-samba-shares.html
> 
>         *<joke>ERIC: Post your configuration with a complete diagram of
>         your network and use?  </joke>*
> 
>         Nosis <http://en.wikipedia.org/wiki/User:Lisa_Kachold>| Obnosis
>         <http://www.obnosis.com/> | (503)754-4452
>         PLUG <http://http//plug.phoenix.az.us> Linux Security Labs
>         <http://uat.edu/> 2nd Saturday Each Month at Noon - 3PM
> 
>         ------------------------------------------------------------------------
>         Express your personality in color! Preview and select themes for
>         Hotmail®. See how.
>         <http://www.windowslive-hotmail.com/LearnMore/personalize.aspx?ocid=TXT_MSGTX_WL_HM_express_032009#colortheme>
> 
> 
>         ---------------------------------------------------
>         PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us <mailto:PLUG-discuss at lists.plug.phoenix.az.us>
> 
>         To subscribe, unsubscribe, or to change your mail settings:
>         http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 
> 
> 
>     ---------------------------------------------------
>     PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>     <mailto:PLUG-discuss at lists.plug.phoenix.az.us>
>     To subscribe, unsubscribe, or to change your mail settings:
>     http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 
> 


-- 
-Eric 'shubes'

More information about the PLUG-discuss mailing list