On Mon, Sep 15, 2008 at 01:57:55PM -0700, Steve Rippl wrote: > Hi, > > We've just put in a Samba fileserver to replace our windows box for our > School District and it seems to be working great. I have a question > about defining some specific permissions though. We set up 'Drop boxes' > for teachers that kids can drag files into, but they don't have read > permission so they can't read each others submitted work. Here's what > is looks like on the fileserver > > [EMAIL PROTECTED]:/srv/materials/WHS/VanCleek# getfacl Drop_Box/ > # file: Drop_Box > # owner: admin > # group: domain\040admins > user::rwx > user:vancleek:rwx > group::rwx > group:whs\040student:-wx > mask::rwx > other::--- > default:user::rwx > default:user:vancleek:rwx > default:group::rwx > default:group:whs\040student:-wx > default:mask::rwx > default:other::--- > > and the view through windows security tab shows Traverse folder/Create > Files/Write Attributes/Write Extended Attributes/Read permissions. > Needless to say this doesn't seem to work! The student account (in the > right group) is not allowed to drop a file into that folder. If I add > g:wsd\\whs\ Student:rwx then the student can do anything sucessfully, > with -wx nothing?!! > > Can anyone help?
Ok, the problem is that students need to be able to read the containing directory in order to be able to drag and drop new files there. The reason is that Samba needs to be able to scan the directory on their behalf in order to do case insensitive lookups. But so long as you don't mind allowing the students to see the names of each others files, you can set up a DropBox so that students can write into it (and their own files) but not edit or see others files. Firstly, you want to make sure that files created in the DropBox directory are not owned by the student's primary group, but by the group owner of the DropBox direcotry. So : chgrp teachers DropBox to make it owned by the teachers group. Then set the setgid bit on the DropBox directory to make sure that files created within there have an owning group of teachers. chmod g+s DropBox Then ensure that a file in DropBox can be renamed or deleted by only the owner of the file, or by the owner of the directory, or by root (same permissions that /tmp has). chmod +t DropBox Then allow students to write into the directory by adding an ACL setfacl -m g:students:rwx DropBox So long as the defaul acl is set so that "others" have no permissions, files written by a student into that directory will be owned by themselves but will have an owning group of "teachers", and students will not be able to read each others files. If you need to be cause the files to be owned by the owner of the directory, not by the students who created them you need to set up a separate share as described above, but then add the share level parameter : inherit owner = yes which will cause files created within the directories in that share to be owned by the containing directory, not the creating owner. Hope this helps, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba