Give users Read, Modify but not delete on Samba server

[Karim_992]

guys i need your help and i really appreciate it.

i am a windows system administrator and lately my manager want me to change the system to Unix.

i still studding and reading, what i really need is exactly this case i need to configure my Samba server permissions to allow read,write but not delete for a group or user.

[[ i am configuring a file server ]]
i need this option for groups so users can access the departments files and modify them and get the data they need but not to delete this files

The scenario i am trying to build is
client X [read,modify but not delete files or subfolders]
Group X [read,modify but not delete files or sub folder]
root[read,modify and delete] i think this is the normal case for the root

[emiller12345]

I think 'modify' and 'delete' may fall under the same permissions. If someone can modify a file, then they can modify the contents of a file to nothing.

[CharlesA]

I think 'modify' and 'delete' may fall under the same permissions. If someone can modify a file, then they can modify the contents of a file to nothing.

I think that's how it works too.

[bab1]

I think that's how it works too.

Nah! A file is deleted only when it is unlinked from the inode that describes it. A 0 byte file is empty but not deleted (unlinked). If you set the chattr +i attribute no user including root have the ability to unlink the file. Root would have to reset the chattr to -i to be able to unlink.

In addition, the sticky bit on a file should work stop file deletion too.

[emiller12345]

*nix also has three main types of permissions: read, write and executable.
For the *nix permissions it appears that if the writable bit is not set for a directory for a given user ( or group ) then a file in that directory can't be deleted, but can be edited if the writable bit is set for the file.
However, new files cannot be created in the directory with the writable bit not set.

For Samba I'm not sure, Samba has three main permission settings: read only, writeable, and guest ok.
You might have to play around with those to figure that out.

[bab1]

*nix also has three main types of permissions: read, write and executable.
For the *nix permissions it appears that if the writable bit is not set for a directory for a given user ( or group ) then a file in that directory can't be deleted, but can be edited if the writable bit is set for the file.
However, new files cannot be created in the directory with the writable bit not set.

For Samba I'm not sure, Samba has three main permission settings: read only, writeable, and guest ok.
You might have to play around with those to figure that out.

Linux permissions trump Samba settings. There are actually 4 bits used for permissions the 3 main bits (rwx) plus an extended bit for suid and sgid and the sticky bit. See here for more info. That page is pretty good reference on Linux permissions.

[CharlesA]

Nah! A file is deleted only when it is unlinked from the inode that describes it. A 0 byte file is empty but not deleted (unlinked). If you set the chattr +i attribute no user including root have the ability to unlink the file. Root would have to reset the chattr to -i to be able to unlink.

In addition, the sticky bit on a file should work stop file deletion too.

Good point. Doesn't the sticky bit only prevent deletion from anyone except the owner?

[bab1]

Good point. Doesn't the sticky bit only prevent deletion from anyone except the owner?

In the post above (#6) I have a link to a page that describes what sui, sgid and sticky bits.

From the chmod man page

Code:

RESTRICTED DELETION FLAG OR STICKY BIT
       The  restricted  deletion  flag  or  sticky  bit is a single bit, whose
       interpretation depends on the file type.  For directories, it  prevents
       unprivileged  users  from  removing or renaming a file in the directory
       unless they  own  the  file  or  the  directory;  this  is  called  the
       restricted  deletion  flag  for the directory, and is commonly found on
       world-writable directories like /tmp.

At the present time the sticky bit is not used for files. In the past it held files in RAM, hence the sticky in "sticky bit".

Edit: To cap this all off -- If you create a file structure that has these 3 things: a. A directory with the sticky bit set on. b. The group forced (sgid)to one that is NOT a group with the samba users in it (i.e webadmin) and c. The file permissions set read and write to the file, those users will be able to read and write to that file, but not delete the file.

The directory should be set to 3775 and the files to 0664. If you want to set this recursively you need to use chmod with symbolic bits, like this

Code:

sudo chmod -R u=rwX,g=rwX,o=r,a=t $somedir

Hint: the large X set eXecute only on the directories.

[CharlesA]

Thanks for clearing that up. Quite handy.

[emiller12345]

The directory should be set to 3775 and the files to 0664.

In addition, you will probably want to set the umask 113 for files new files create so they will have permissions 0664. I think there should be a way to do that in samba, which is probably how most new files will mainly be created.

EDIT:
Disregard the above umask of 113, it is work. smb.conf has entries for 'create mask' and 'directory mask' but I'm not sure how you'd set the octals for them.