Tuesday, April 12, 2011

Samba share permissions simplified

Samba share permissions simplified

by LinuxTitli on January 5, 2007 · 23 comments
Samba software, is a free, open source implementation of networking protocols to share files between UNIX/Linux and Windows computers.
Samba provides -
=> File and print services
=> Integration with a Windows Server domain / PDC
=> Part of Active Directory domain etc

Permission precedence

Samba comes with different types of permissions for share. Try to remember few things about UNIX and Samba permissions.
(a) Linux system permissions take precedence over Samba permissions. For example if a directory does not have Linux write permission, setting samba writeable = Yes (see below) will not allow to write to shared directory / share.
(b) The filesystem permission cannot be take priority over Samba permission. For example if filesystem mounted as readonly setting writeable = Yes will not allow to write to any shared directory or share via samba server.
In short (thanks to Craig [see below in comment section]) :
Limits set by kernel-level access control such as file permissions, file system mount options, ACLs, and SELinux policies cannot be overridden by Samba. Both the kernel and Samba must permit the user to perform an action on a file before that action can occur.

How do I set permissions to Samba shares?

Samba Basic permissions are as follows (configuration file is smb.conf [/etc/samba/smb.conf]):
  • read only: This parameter controls whether an user has the ability to create or modify files within a share. This is default.
  • guest ok: Uf this parameter is set to yes, the users will have access to the share without
    having to enter a password. This can pose security risk.
  • writeable: Specifies users should have write access to the share.
You can create the share called helpfiles with read only permission
[helpfiles]
path = /usr/share/docs
read only = Yes

You can create the share called salesdoc with write permission
[salesdoc]
path = /home/shared/sales
writeable = Yes

You can also create a list of users to give write access to the share with write list option. For example allow rocky and tony to write to the share called sales:
[salesdoc]
path = /home/shared/sales
write list = rocky tony

You can use following options
  • read list: This option accepts a list of usernames or a group as its value. Users will be given read-only access to the share.
  • valid users: You can make a share available to specific users. Usernames or group names can be passed on as its value.
  • invalid users: Users or groups listed will be denied access to this share.

Samba mask permission

It is also possible to specify samba default file creation permission using mask.
  • create mask: This option is set using an octal value when setting permissions for files.
  • directory mask: Directories must have the execute bit for proper access. Default parameter is 0755.
[salesdoc]
path = /home/shared/sales
write list = rocky sys
create mask = 0775

No comments:

Post a Comment