Author: Sven Knispel
Updated: [udate]
Samba is a Linux service wich allows to access a Linux disk* from a Microsoft Windows machine.
*or Hard-drive partition, whatever you call it
Following problem happens when working on a Samba-mounted share from windows:
user1 grp1
(e.g. drwxrwx--- karin home_users ... mydir
)
sven
edits the file index.html
from Windows XP using Ultraedit. The result is:
-rwxr--r-- 1 sven sven 4881 Nov 6 09:14 index.html
-rwxrwx--- 1 karin home_users 4883 Nov 4 07:12 index.html.bak
Ultraedit has moved index.html
to index.html.bak
and created a new index.html
. The creation of the new file lead to changes in the ACLs and owner/group.
In menu "Advanced" - "Configuration" select "No backup"
After editing the file it looks like this:
"-rwxrwx--- 1 karin home_users 4883 Nov 6 09:21 index.html
Originally the share-defitinion looks like this (created with the X Samba-configuration tool):
[karin_temp]
comment = Karin's data
path = /home/karin/karin_temp
writeable = yes
We are now going to have look at different Samba options...
Essentially, zero bits in the security mask mask may be treated as a set of bits the user is not allowed to change, and one bits are those the user is allowed to change.
If not set explicitly this parameter is 0777
, allowing a user to modify all the user/group/world permissions on a file.
To make sure that a windows-user can never change the access right for "other" we define the security-mask to be 0770
:
security mask = 0770
When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit not set here will be removed from the modes set on a file when it is created.
Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the force create mode parameter which is set to 000 by default.
Let's make following changes to these settings and observe the result by editing a file with the backup option of ultra edit on:
First change the samba.conf
file:
[karin_temp]
comment = Karin's data
path = /home/karin/karin_temp
writeable = yes
to
[karin_temp]
comment = Karin's data
path = /home/karin/karin_temp
writeable = yes
create mask = 0770
force create mode = 0770
directory mode = 0770
force directory mode = 0770
and restart Samba (/sbin/service smb restart
).
Initially the file looks like this:
-rwxrwx--- 1 karin home_users 4883 Nov 6 09:21
after editing it with ultra edit it look now like this:
-rwxrwx--- 1 sven sven 4881 Nov 6 09:42
-rwxrwx--- 1 karin home_users 4883 Nov 6 09:21
You can see that Ultra edit still has move the original file to .bak and created a new file (with a new owner/group), but the permissions are as specified in samba.conf
.
Still the problem is there, that the file was moved to .bak
and the new file created with user/group sven
, preventing any other user to edit the file after that (as permissions are 0770
).
To get rid of this we will now set the option force group
to force the group of any created file in this directory structure to be home_users
:
[karin_temp]
comment = Karin's data
path = /home/karin/karin_temp
writeable = yes
create mask = 0770
force create mode = 0770
force group = home_users
(and restart Samba)
Before editing the file the situation looks like this:
-rwxrwx--- 1 karin home_users 4881 Nov 6 09:42 index.html
After editing the file with Ultra Edit it is:
-rwxrwx--- 1 sven home_users 4883 Nov 6 09:54 index.html
-rwxrwx--- 1 karin home_users 4881 Nov 6 09:42 index.html.bak
The owner has changed correctly, but the group was set by Samba from the option force group
.
The same way the user can also be forced using force user
.