Configure permissions and ownership for Samba on Linux
Site Navigation:

 
 

Configure permissions and ownership for Samba on Linux

Author:  Sven Knispel
Updated: 26-01-2005
Feedback welcome: linux@cri.ch
Free service provided by: www.cri.ch

Samba is a Linux service wich allows to access a Linux disk* from a Microsoft Windows machine.
*or Hard-drive partition, whatever you call it

Following problem happens when working on a Samba-mounted share from windows:

  • the user and owner of a directory-tree are user1 grp1 (e.g. drwxrwx--- karin home_users ... mydir)
  • user sven edits the file index.html from Windows XP using Ultraedit. The result is: -rwxr--r-- 1 sven sven 4881 Nov 6 09:14 index.html -rwxrwx--- 1 karin home_users 4883 Nov 4 07:12 index.html.bak Ultraedit has moved index.html to index.html.bak and created a new index.html. The creation of the new file lead to changes in the ACLs and owner/group.

    This article deals with the settings to get rid of this problem.

    1. Change to options in Ultraedit

    In menu "Advanced" - "Configuration" select "No backup"
    After editing the file it looks like this: "-rwxrwx--- 1 karin home_users 4883 Nov 6 09:21 index.html

    2. Change /etc/samba/smb.conf

    Originally the share-defitinion looks like this (created with the X Samba-configuration tool): [karin_temp] comment = Karin's data path = /home/karin/karin_temp writeable = yes We are now going to have look at different Samba options...

    2.1 security mask

    Essentially, zero bits in the security mask mask may be treated as a set of bits the user is not allowed to change, and one bits are those the user is allowed to change.
    If not set explicitly this parameter is 0777, allowing a user to modify all the user/group/world permissions on a file.
    To make sure that a windows-user can never change the access right for "other" we define the security-mask to be 0770:
    security mask = 0770

    2.2 create masks / force create mode / directory mode / force directory mode

    When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit not set here will be removed from the modes set on a file when it is created. Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the force create mode parameter which is set to 000 by default. Let's make following changes to these settings and observe the result by editing a file with the backup option of ultra edit on:
    First change the samba.conf file: [karin_temp] comment = Karin's data path = /home/karin/karin_temp writeable = yes to [karin_temp] comment = Karin's data path = /home/karin/karin_temp writeable = yes create mask = 0770 force create mode = 0770 directory mode = 0770 force directory mode = 0770 and restart Samba (/sbin/service smb restart).

    Initially the file looks like this: -rwxrwx--- 1 karin home_users 4883 Nov 6 09:21 after editing it with ultra edit it look now like this: -rwxrwx--- 1 sven sven 4881 Nov 6 09:42 -rwxrwx--- 1 karin home_users 4883 Nov 6 09:21

    You can see that Ultra edit still has move the original file to .bak and created a new file (with a new owner/group), but the permissions are as specified in samba.conf.

    Still the problem is there, that the file was moved to .bak and the new file created with user/group sven, preventing any other user to edit the file after that (as permissions are 0770).

    To get rid of this we will now set the option force group to force the group of any created file in this directory structure to be home_users: [karin_temp] comment = Karin's data path = /home/karin/karin_temp writeable = yes create mask = 0770 force create mode = 0770 force group = home_users

    (and restart Samba)

    Before editing the file the situation looks like this: -rwxrwx--- 1 karin home_users 4881 Nov 6 09:42 index.html After editing the file with Ultra Edit it is: -rwxrwx--- 1 sven home_users 4883 Nov 6 09:54 index.html -rwxrwx--- 1 karin home_users 4881 Nov 6 09:42 index.html.bak The owner has changed correctly, but the group was set by Samba from the option force group.

    The same way the user can also be forced using force user.