Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: Give users Read, Modify but not delete on Samba server

  1. #1
    Join Date
    Jan 2012
    Beans
    2

    Give users Read, Modify but not delete on Samba server

    guys i need your help and i really appreciate it.

    i am a windows system administrator and lately my manager want me to change the system to Unix.

    i still studding and reading, what i really need is exactly this case i need to configure my Samba server permissions to allow read,write but not delete for a group or user.

    [[ i am configuring a file server ]]
    i need this option for groups so users can access the departments files and modify them and get the data they need but not to delete this files

    The scenario i am trying to build is
    client X [read,modify but not delete files or subfolders]
    Group X [read,modify but not delete files or sub folder]
    root[read,modify and delete] i think this is the normal case for the root

  2. #2
    Join Date
    Jun 2010
    Location
    ~
    Beans
    Hidden!

    Re: I Need to give users Read, Modify but not delete on Samba server [[ help plz ]]

    I think 'modify' and 'delete' may fall under the same permissions. If someone can modify a file, then they can modify the contents of a file to nothing.

  3. #3
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: I Need to give users Read, Modify but not delete on Samba server [[ help plz ]]

    Quote Originally Posted by emiller12345 View Post
    I think 'modify' and 'delete' may fall under the same permissions. If someone can modify a file, then they can modify the contents of a file to nothing.
    I think that's how it works too.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  4. #4
    Join Date
    May 2008
    Location
    SoCal
    Beans
    Hidden!
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: I Need to give users Read, Modify but not delete on Samba server [[ help plz ]]

    Quote Originally Posted by CharlesA View Post
    I think that's how it works too.
    Nah! A file is deleted only when it is unlinked from the inode that describes it. A 0 byte file is empty but not deleted (unlinked). If you set the chattr +i attribute no user including root have the ability to unlink the file. Root would have to reset the chattr to -i to be able to unlink.

    In addition, the sticky bit on a file should work stop file deletion too.
    -BAB1

  5. #5
    Join Date
    Jun 2010
    Location
    ~
    Beans
    Hidden!

    Re: I Need to give users Read, Modify but not delete on Samba server [[ help plz ]]

    *nix also has three main types of permissions: read, write and executable.
    For the *nix permissions it appears that if the writable bit is not set for a directory for a given user ( or group ) then a file in that directory can't be deleted, but can be edited if the writable bit is set for the file.
    However, new files cannot be created in the directory with the writable bit not set.

    For Samba I'm not sure, Samba has three main permission settings: read only, writeable, and guest ok.
    You might have to play around with those to figure that out.

  6. #6
    Join Date
    May 2008
    Location
    SoCal
    Beans
    Hidden!
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: I Need to give users Read, Modify but not delete on Samba server [[ help plz ]]

    Quote Originally Posted by emiller12345 View Post
    *nix also has three main types of permissions: read, write and executable.
    For the *nix permissions it appears that if the writable bit is not set for a directory for a given user ( or group ) then a file in that directory can't be deleted, but can be edited if the writable bit is set for the file.
    However, new files cannot be created in the directory with the writable bit not set.

    For Samba I'm not sure, Samba has three main permission settings: read only, writeable, and guest ok.
    You might have to play around with those to figure that out.
    Linux permissions trump Samba settings. There are actually 4 bits used for permissions the 3 main bits (rwx) plus an extended bit for suid and sgid and the sticky bit. See here for more info. That page is pretty good reference on Linux permissions.
    -BAB1

  7. #7
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: I Need to give users Read, Modify but not delete on Samba server [[ help plz ]]

    Quote Originally Posted by bab1 View Post
    Nah! A file is deleted only when it is unlinked from the inode that describes it. A 0 byte file is empty but not deleted (unlinked). If you set the chattr +i attribute no user including root have the ability to unlink the file. Root would have to reset the chattr to -i to be able to unlink.

    In addition, the sticky bit on a file should work stop file deletion too.
    Good point. Doesn't the sticky bit only prevent deletion from anyone except the owner?
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  8. #8
    Join Date
    May 2008
    Location
    SoCal
    Beans
    Hidden!
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: I Need to give users Read, Modify but not delete on Samba server [[ help plz ]]

    Quote Originally Posted by CharlesA View Post
    Good point. Doesn't the sticky bit only prevent deletion from anyone except the owner?
    In the post above (#6) I have a link to a page that describes what sui, sgid and sticky bits.

    From the chmod man page
    Code:
    RESTRICTED DELETION FLAG OR STICKY BIT
           The  restricted  deletion  flag  or  sticky  bit is a single bit, whose
           interpretation depends on the file type.  For directories, it  prevents
           unprivileged  users  from  removing or renaming a file in the directory
           unless they  own  the  file  or  the  directory;  this  is  called  the
           restricted  deletion  flag  for the directory, and is commonly found on
           world-writable directories like /tmp.
    At the present time the sticky bit is not used for files. In the past it held files in RAM, hence the sticky in "sticky bit".

    Edit: To cap this all off -- If you create a file structure that has these 3 things: a. A directory with the sticky bit set on. b. The group forced (sgid)to one that is NOT a group with the samba users in it (i.e webadmin) and c. The file permissions set read and write to the file, those users will be able to read and write to that file, but not delete the file.

    The directory should be set to 3775 and the files to 0664. If you want to set this recursively you need to use chmod with symbolic bits, like this
    Code:
    sudo chmod -R u=rwX,g=rwX,o=r,a=t $somedir
    Hint: the large X set eXecute only on the directories.
    Last edited by bab1; March 1st, 2012 at 07:57 AM. Reason: Last Thoughts
    -BAB1

  9. #9
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: I Need to give users Read, Modify but not delete on Samba server [[ help plz ]]

    Thanks for clearing that up. Quite handy.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  10. #10
    Join Date
    Jun 2010
    Location
    ~
    Beans
    Hidden!

    Re: I Need to give users Read, Modify but not delete on Samba server [[ help plz ]]

    Quote Originally Posted by bab1 View Post
    The directory should be set to 3775 and the files to 0664.
    In addition, you will probably want to set the umask 113 for files new files create so they will have permissions 0664. I think there should be a way to do that in samba, which is probably how most new files will mainly be created.

    EDIT:
    Disregard the above umask of 113, it is work. smb.conf has entries for 'create mask' and 'directory mask' but I'm not sure how you'd set the octals for them.
    Last edited by emiller12345; March 2nd, 2012 at 09:29 PM.

Page 1 of 3 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •