Eric Wrote:
Hello all,
I have a FreeBSD box running Samba. I have the permission set to 0770 so anyone in the group can read, write, or execute. I can create files via the shell. However, I can't write anything without 777 permissions. Any ideas? I'd rather not leave permissions like that.
Thanks,
Eric
Lisa responds:
A complete discussion of SAMBA permissions, like all security is going
to have to be in context. I.E. do you have shell users on this box?
What are you sharing and how do you need to limit it?
Generally what escapes people starting to play with SAMBA is that security is two tiered:
(a) Linux
system permissions take precedence over Samba permissions.
For example if a directory does not have Linux write permission,
setting samba writeable = Yes (see below) will not allow to write to
shared directory / share.
(b) The
filesystem permission cannot be take priority over Samba permission.
For example if filesystem mounted as readonly setting writeable = Yes
will not allow to write to any shared directory or share via samba
server.
In short:
Limits set by kernel-level access control such as file permissions,
file system mount options, ACLs, and SELinux policies cannot be
overridden by Samba. Both the kernel and Samba must permit the user to
perform an action on a file before that action can occur.
Samba Share Permission HowTo:
Samba Basic permissions are as follows (configuration file is smb.conf [/etc/samba/smb.conf]):
- read only: This parameter controls whether an user has the ability to create or modify files within a share. This is default.
- guest ok: Uf this parameter is set to yes, the users will have access to the share without
having to enter a password. This can pose security risk. - writeable: Specifies users should have write access to the share.
You can create the share called "foofiles" with read only permission
[foofiles]
path = /usr/share/docs
read only = Yes
You can create the share called salesdoc with write permission
[salesdoc]
path = /home/shared/sales
writeable = Yes
You can also create a list of users to give write access to the share with
write list option. For example allow rocky and tony to write to the share called sales:
[salesdoc]
path = /home/shared/sales
write list = rocky tony
You can use following options
- read list: This option accepts a list of usernames or a group as its value. Users will be given read-only access to the share.
- valid users: You can make a share available to specific users. Usernames or group names can be passed on as its value.
- invalid users: Users or groups listed will be denied access to this share.
Samba masks:
Specify samba default file creation permission using mask.
- create mask: This option is set using an octal value when setting permissions for files.
- directory mask: Directories must have the execute bit for proper access. Default parameter is 0755.
[salesdoc]
path = /home/shared/sales
write list = rocky sys
create mask = 0775
excerpted from: http://www.cyberciti.biz/tips/how-do-i-set-permissions-to-samba-shares.html
<joke>ERIC: Post your configuration with a complete diagram of your network and use? </joke>
Nosis| Obnosis | (503)754-4452
PLUG Linux Security Labs 2nd Saturday Each Month@Noon - 3PM
Express your personality in color! Preview and select themes for Hotmail®.
See how.