Re: Samba Permissions

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M+\Lisa Kachold at <-
MMM 
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Eric Shubert
Date:  
To: plug-discuss
Subject: Re: Samba Permissions
Shouldn't that be:
valid users = @ipc
??

Eric Cope wrote:
> Sorry for the late reply:
>
> The Linux permissions include:
>
> /ipc group:ipc user:ipc
>
> /ipc/ipc group:ipc user: ipc
> /ipc/cbs group: cbs user:cbs
>
> Two companies (IPC, CBS) get each folder. IPC employees don't need
> access to cbs, but cbs needs access to ipc. I created CBS users and
> added them to the cbs group, the ipc group, and the ipc-users group. I
> chmoded everything to 770. The users didn't have access. Below are my
> samba settings
>
> [ipc]
> path = /ipc
> read only = no
> create mask = 0775
> valid users = @ipc-users
>
> If I chmod to 777, they have access, if they change it to 770, they
> don't, making me thing I don't have the groups properly setup. if I run
> "groups <some_user>", it shows the correct groups added.
>
> Thanks,
> Eric
>
> On Fri, Mar 13, 2009 at 8:38 PM, keith smith <
> <mailto:klsmith2020@yahoo.com>> wrote:
>
> 
>     My configuration looks slightly different

> 
>     [bill]
>             path = /work/bill
>             writeable = yes
>             browseable = yes
>             valid users = bill

> 
>     The directory is owned by bill:bill with permissions at 755 which I
>     think is the default permissions.

> 
>     If I recall correctly when you try to map the drive in Windows you
>     will be promoted for the password.  And every time there after.

>
> 
>     ------------------------
>     Keith

>
> 
>     --- On *Fri, 3/13/09, Lisa Kachold /<
>     <mailto:lisakachold@obnosis.com>>/* wrote:

> 
>         From: Lisa Kachold <
>         <mailto:lisakachold@obnosis.com>>
>         Subject: RE: Samba Permissions
>         To: 
>         <mailto:plug-discuss@lists.plug.phoenix.az.us>
>         Date: Friday, March 13, 2009, 7:14 PM

>
> 
>         Eric Wrote:

> 
>         Hello all,
>         I have a FreeBSD box running Samba. I have the permission set to
>         0770 so anyone in the group can read, write, or execute. I can
>         create files via the shell. However, I can't write anything
>         without 777 permissions. Any ideas? I'd rather not leave
>         permissions like that.
>         Thanks,
>         Eric

> 
>         Lisa responds:

>
>
>
> 
>         A complete discussion of SAMBA permissions, like all security is
>         going to have to be in context.  I.E. do you have shell users on
>         this box?  What are you sharing and how do you need to limit it?

> 
>         Generally what escapes people starting to play with SAMBA is
>         that security is two tiered:

> 
>         (a) Linux *system permissions take precedence over Samba
>         permissions*. For example if a directory does not have Linux
>         write permission, setting samba writeable = Yes (see below) will
>         not allow to write to shared directory / share. (b) The
>         *filesystem permission cannot be take priority over Samba
>         permission.* For example if filesystem mounted as readonly
>         setting writeable = Yes will not allow to write to any shared
>         directory or share via samba server.
>         In short:
>         Limits set by kernel-level access control such as file
>         permissions, file system mount options, ACLs, and SELinux
>         policies cannot be overridden by Samba.  Both the kernel and
>         Samba must permit the user to perform an action on a file before
>         that action can occur.

>
> 
>               Samba Share Permission HowTo:

> 
>         Samba Basic permissions are as follows (configuration file is
>         smb.conf [/etc/samba/smb.conf]):

> 
>             * *read only*: This parameter controls whether an user has
>               the ability to create or modify files within a share. This
>               is default.
>             * *guest ok*: Uf this parameter is set to yes, the users
>               will have access to the share without
>               having to enter a password. This can pose security risk.
>             * *writeable*: Specifies users should have write access to
>               the share.

> 
>         You can create the share called "foofiles" with read only permission
>         ||
>         |[foofiles]
>         path = /usr/share/docs
>         read only = Yes
>         |
>         You can create the share called salesdoc with write permission
>         |[salesdoc]
>         path = /home/shared/sales
>         writeable = Yes
>         |
>         You can also create a list of users to give write access to the
>         share with *write list* option. For example allow rocky and tony
>         to write to the share called sales:
>         |[salesdoc]
>         path = /home/shared/sales
>         write list = rocky tony
>         |
>         You can use following options

> 
>             * *read list*: This option accepts a list of usernames or a
>               group as its value. Users will be given read-only access
>               to the share.
>             * *valid users*: You can make a share available to specific
>               users. Usernames or group names can be passed on as its value.
>             * *invalid users*: Users or groups listed will be denied
>               access to this share.

>
> 
>               Samba masks:

> 
>         Specify samba default file creation permission using mask.

> 
>             * *create mask*: This option is set using an octal value
>               when setting permissions for files.
>             * *directory mask*: Directories must have the execute bit
>               for proper access. Default parameter is 0755.

> 
>         |
>         [salesdoc]
>         path = /home/shared/sales
>         write list = rocky sys
>         create mask = 0775|

> 
>         excerpted from:
>         http://www.cyberciti.biz/tips/how-do-i-set-permissions-to-samba-shares.html

> 
>         *<joke>ERIC: Post your configuration with a complete diagram of
>         your network and use?  </joke>*

> 
>         Nosis <http://en.wikipedia.org/wiki/User:Lisa_Kachold>| Obnosis
>         <http://www.obnosis.com/> | (503)754-4452
>         PLUG <http://http//plug.phoenix.az.us> Linux Security Labs
>         <http://uat.edu/> 2nd Saturday Each Month@Noon - 3PM

> 
>         ------------------------------------------------------------------------
>         Express your personality in color! Preview and select themes for
>         Hotmail®. See how.
>         <http://www.windowslive-hotmail.com/LearnMore/personalize.aspx?ocid=TXT_MSGTX_WL_HM_express_032009#colortheme>

>
> 
>         ---------------------------------------------------
>         PLUG-discuss mailing list -  <mailto:PLUG-discuss@lists.plug.phoenix.az.us>

> 
>         To subscribe, unsubscribe, or to change your mail settings:
>         http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

>
>
> 
>     ---------------------------------------------------
>     PLUG-discuss mailing list - 
>     <mailto:PLUG-discuss@lists.plug.phoenix.az.us>
>     To subscribe, unsubscribe, or to change your mail settings:
>     http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

>
>


--
-Eric 'shubes'

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-RE: Samba PermissionsVideo of Scott Ruecker's Presentation->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)