Configure permissions and ownership for Samba on Linux
Author: Sven Knispel
Updated: [udate]
Samba is a Linux service wich allows to access a Linux disk* from a Microsoft Windows machine.
*or Hard-drive partition, whatever you call it
Following problem happens when working on a Samba-mounted share from windows:
- the user and owner of a directory-tree are
user1 grp1(e.g.drwxrwx--- karin home_users ... mydir) - user
svenedits the fileindex.htmlfrom Windows XP using Ultraedit. The result is:-rwxr--r-- 1 sven sven 4881 Nov 6 09:14 index.html -rwxrwx--- 1 karin home_users 4883 Nov 4 07:12 index.html.bakUltraedit has movedindex.htmltoindex.html.bakand created a newindex.html. The creation of the new file lead to changes in the ACLs and owner/group.
This article deals with the settings to get rid of this problem.1. Change to options in Ultraedit
In menu "Advanced" - "Configuration" select "No backup"
After editing the file it looks like this:"-rwxrwx--- 1 karin home_users 4883 Nov 6 09:21 index.html2. Change /etc/samba/smb.conf
Originally the share-defitinion looks like this (created with the X Samba-configuration tool):
[karin_temp] comment = Karin's data path = /home/karin/karin_temp writeable = yesWe are now going to have look at different Samba options...2.1 security mask
Essentially, zero bits in the security mask mask may be treated as a set of bits the user is not allowed to change, and one bits are those the user is allowed to change.
If not set explicitly this parameter is0777, allowing a user to modify all the user/group/world permissions on a file.
To make sure that a windows-user can never change the access right for "other" we define the security-mask to be0770:
security mask = 07702.2 create masks / force create mode / directory mode / force directory mode
When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit not set here will be removed from the modes set on a file when it is created. Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the force create mode parameter which is set to 000 by default. Let's make following changes to these settings and observe the result by editing a file with the backup option of ultra edit on:
First change thesamba.conffile:[karin_temp] comment = Karin's data path = /home/karin/karin_temp writeable = yesto[karin_temp] comment = Karin's data path = /home/karin/karin_temp writeable = yes create mask = 0770 force create mode = 0770 directory mode = 0770 force directory mode = 0770and restart Samba (/sbin/service smb restart).
Initially the file looks like this:
-rwxrwx--- 1 karin home_users 4883 Nov 6 09:21after editing it with ultra edit it look now like this:-rwxrwx--- 1 sven sven 4881 Nov 6 09:42 -rwxrwx--- 1 karin home_users 4883 Nov 6 09:21
You can see that Ultra edit still has move the original file to .bak and created a new file (with a new owner/group), but the permissions are as specified insamba.conf.
Still the problem is there, that the file was moved to.bakand the new file created with user/groupsven, preventing any other user to edit the file after that (as permissions are0770).
To get rid of this we will now set the optionforce groupto force the group of any created file in this directory structure to behome_users:[karin_temp] comment = Karin's data path = /home/karin/karin_temp writeable = yes create mask = 0770 force create mode = 0770 force group = home_users
(and restart Samba)
Before editing the file the situation looks like this:
-rwxrwx--- 1 karin home_users 4881 Nov 6 09:42 index.htmlAfter editing the file with Ultra Edit it is:-rwxrwx--- 1 sven home_users 4883 Nov 6 09:54 index.html -rwxrwx--- 1 karin home_users 4881 Nov 6 09:42 index.html.bakThe owner has changed correctly, but the group was set by Samba from the optionforce group.
The same way the user can also be forced usingforce user.