[plug] Samba permissions issue

Ben Jensz plug at jensz.id.au
Wed Oct 20 15:08:05 WST 2004 

I've done some Googling and I can't seem to see anything similar in 
relation to this.

I've got Samba 3 setup as a domain controller for a Windows network, but 
I'm seeing some weirdness in regards to file permissions not appearing 
to work properly in a specific share.
 
I've got a share where I have 3 usergroups accessing it, lets call them 
group1, group2 and group3.  Now group1 and group2 are setup to act as if 
they are root upon the share.. so they can read/write/delete everything 
in the share at will (admin users = @group1, @group2).  Now I've got the 
create mask and directory mask set to 0755, so anything created is 
readable/executable by everyone.. so only writable by the user who 
created it (but of course overridden by the "admin users" parameter so 
group1 and group2 users can do anything to it).

So what should happen is that group3 users can read all data in there, 
including that put there by any user from any group (including group1 
and group2 users), but they can only read it and not modify or delete 
it.  But this is not what is happening...  I can create a file in the 
share owned by root and with 0600 permissions (rw owner only) and group3 
can still delete it.

This is the share section from smb.conf that I'm using currently for 
this share:

[share]
   comment = Share
   path = /share/directory
   admin users = @group1, @group2
   writable = yes
   browseable = yes
   create mask = 0755
   directory mask = 0755


Now if I don't have writable = yes, then group3 can't write anything to 
the share (even though the folder has group ownership of group3 and has 
permissions of 0775).. if I take out writable = yes and replace it with 
either "write list = @group1, @group2, @group3" or "valid users = 
@group1, @group2, @group3" it does the same thing as above - lets group3 
users delete stuff that they shouldn't be able to.

So its like its letting group3 users act almost as if they are "admin 
users" as well (even though the ownership/permissions on the files isn't 
the same as files created in the share by group1 or group2 users).

I'm using Samba 3.0.7 on Fedora Core 2.  Anyone have any ideas?

TIA.


/ Ben

More information about the plug mailing list