Re: [CentOS] Samba Permissions - Sanity check
I've always 'enjoyed' the solutions the samba team found for interoperability. Here's a good reference that provides the juicy details: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html Makes me shudder just to read it again . . . A == Ugh. Well, I did find an 'interesting' paragraph from the page you referencedthat seems to sum up my problem: --BEGIN-- Protecting Directories and Files from Deletion People have asked on the Samba mailing list how is it possible to protect files or directories from deletion by users. For example, Windows NT/2K/XP provides the capacity to set access controls on a directory into which people can write files but not delete them. It is possible to set an ACL on a Windows file that permits the file to be written to but not deleted. Such concepts are foreign to the UNIX operating system file space. Within the UNIX file system anyone who has the ability to create a file can write to it. Anyone who has write permission on the directory that contains a file and has write permission for it has the capability to delete it. --END-- --Tim ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Samba Permissions - Sanity check
Greetings list- I have a Samba-centric question to ask. I have a particular user who claims Samba has the ability to allow users to create/edit/modify existing files of a share but NOT delete them. To my knowledge, the aforementioned permissions require the user to have write access to the share which *ALSO* gives them the ability to delete files as well. The Samba server is nothing special, simply the latest Samba running on CentOS 5, ext3 filesystem. I've been around and around on this topic and I'm just hoping someone can give me a little sanity by confirming 'yay or nay' whether this is possible or not. --Tim ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samba Permissions - Sanity check
on 2-19-2009 11:54 AM Tim Nelson spake the following: Greetings list- I have a Samba-centric question to ask. I have a particular user who claims Samba has the ability to allow users to create/edit/modify existing files of a share but NOT delete them. To my knowledge, the aforementioned permissions require the user to have write access to the share which *ALSO* gives them the ability to delete files as well. The Samba server is nothing special, simply the latest Samba running on CentOS 5, ext3 filesystem. I've been around and around on this topic and I'm just hoping someone can give me a little sanity by confirming 'yay or nay' whether this is possible or not. --Tim It is possible that a user can create a file that another user can't delete. But a user should be able to delete anything he/she created. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samba Permissions - Sanity check
Tim Nelson wrote: I've been around and around on this topic and I'm just hoping someone can give me a little sanity by confirming 'yay or nay' whether this is possible or not. It may be possible to prevent them from deleting a file, but if they have write access it wouldn't be possible from effectively deleting the file by wiping it's contents(truncating it). nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samba Permissions - Sanity check
On Thu, Feb 19, 2009 at 12:15 PM, nate cen...@linuxpowered.net wrote: Tim Nelson wrote: I've been around and around on this topic and I'm just hoping someone can give me a little sanity by confirming 'yay or nay' whether this is possible or not. It may be possible to prevent them from deleting a file, but if they have write access it wouldn't be possible from effectively deleting the file by wiping it's contents(truncating it). However, file creation and deletion are functions of the directory permissions where the file resides. If a directory allows a user to write to it, they can create and delete files in that directory with reckless abandon. There are probably some intricate ways around this particular problem, but they can get pretty complicated really fast. HTH. mhr ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samba Permissions - Sanity check
- MHR mhullr...@gmail.com wrote: On Thu, Feb 19, 2009 at 12:15 PM, nate cen...@linuxpowered.net wrote: Tim Nelson wrote: I've been around and around on this topic and I'm just hoping someone can give me a little sanity by confirming 'yay or nay' whether this is possible or not. It may be possible to prevent them from deleting a file, but if they have write access it wouldn't be possible from effectively deleting the file by wiping it's contents(truncating it). However, file creation and deletion are functions of the directory permissions where the file resides. If a directory allows a user to write to it, they can create and delete files in that directory with reckless abandon. There are probably some intricate ways around this particular problem, but they can get pretty complicated really fast. HTH. mhr I've been trying to devise a way around this problem and as you mentioned, it gets extremely complicated quickly. It's even more complicated than allowing users to delete files and restoring the file from a backup set. Well, at least I don't feel I'm going insane anymore (for now...). Thank you to all who responded. --Tim ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samba Permissions - Sanity check
on 2-19-2009 1:31 PM Tim Nelson spake the following: - MHR mhullr...@gmail.com wrote: On Thu, Feb 19, 2009 at 12:15 PM, nate centos-T6AQWPvKiI1cRAk/vaj...@public.gmane.org wrote: Tim Nelson wrote: I've been around and around on this topic and I'm just hoping someone can give me a little sanity by confirming 'yay or nay' whether this is possible or not. It may be possible to prevent them from deleting a file, but if they have write access it wouldn't be possible from effectively deleting the file by wiping it's contents(truncating it). However, file creation and deletion are functions of the directory permissions where the file resides. If a directory allows a user to write to it, they can create and delete files in that directory with reckless abandon. There are probably some intricate ways around this particular problem, but they can get pretty complicated really fast. HTH. mhr I've been trying to devise a way around this problem and as you mentioned, it gets extremely complicated quickly. It's even more complicated than allowing users to delete files and restoring the file from a backup set. Well, at least I don't feel I'm going insane anymore (for now...). Thank you to all who responded. --Tim I have enabled the recycle bin vfs object on my systems. That way a user has to really try and delete a file to make it go away. Like windows, they would have to delete it, go look in the recycle bin (that you can hide) and delete it again. It has saved me many hours of recovering stuff. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samba Permissions - Sanity check
- Scott Silva ssi...@sgvwater.com wrote: on 2-19-2009 1:31 PM Tim Nelson spake the following: - MHR mhullr...@gmail.com wrote: On Thu, Feb 19, 2009 at 12:15 PM, nate centos-T6AQWPvKiI1cRAk/vaj...@public.gmane.org wrote: Tim Nelson wrote: I've been around and around on this topic and I'm just hoping someone can give me a little sanity by confirming 'yay or nay' whether this is possible or not. It may be possible to prevent them from deleting a file, but if they have write access it wouldn't be possible from effectively deleting the file by wiping it's contents(truncating it). However, file creation and deletion are functions of the directory permissions where the file resides. If a directory allows a user to write to it, they can create and delete files in that directory with reckless abandon. There are probably some intricate ways around this particular problem, but they can get pretty complicated really fast. HTH. mhr I've been trying to devise a way around this problem and as you mentioned, it gets extremely complicated quickly. It's even more complicated than allowing users to delete files and restoring the file from a backup set. Well, at least I don't feel I'm going insane anymore (for now...). Thank you to all who responded. --Tim I have enabled the recycle bin vfs object on my systems. That way a user has to really try and delete a file to make it go away. Like windows, they would have to delete it, go look in the recycle bin (that you can hide) and delete it again. It has saved me many hours of recovering stuff. Ooo! This may indeed be a partial solution. 'Administrators' could have access to the Recycle Bin to restore deleted items where 'users' would not have access. Interesting... --Tim ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samba Permissions - Sanity check
on 2-19-2009 1:53 PM Tim Nelson spake the following: - Scott Silva ssi...@sgvwater.com wrote: on 2-19-2009 1:31 PM Tim Nelson spake the following: - MHR mhullr...@gmail.com wrote: On Thu, Feb 19, 2009 at 12:15 PM, nate centos-T6AQWPvKiI1cRAk/vaj...@public.gmane.org wrote: Tim Nelson wrote: I've been around and around on this topic and I'm just hoping someone can give me a little sanity by confirming 'yay or nay' whether this is possible or not. It may be possible to prevent them from deleting a file, but if they have write access it wouldn't be possible from effectively deleting the file by wiping it's contents(truncating it). However, file creation and deletion are functions of the directory permissions where the file resides. If a directory allows a user to write to it, they can create and delete files in that directory with reckless abandon. There are probably some intricate ways around this particular problem, but they can get pretty complicated really fast. HTH. mhr I've been trying to devise a way around this problem and as you mentioned, it gets extremely complicated quickly. It's even more complicated than allowing users to delete files and restoring the file from a backup set. Well, at least I don't feel I'm going insane anymore (for now...). Thank you to all who responded. --Tim I have enabled the recycle bin vfs object on my systems. That way a user has to really try and delete a file to make it go away. Like windows, they would have to delete it, go look in the recycle bin (that you can hide) and delete it again. It has saved me many hours of recovering stuff. Ooo! This may indeed be a partial solution. 'Administrators' could have access to the Recycle Bin to restore deleted items where 'users' would not have access. Interesting... --Tim And you can also set it to keep versions of deleted files. Pretty cool! But beware of most of the docs on the internet that mention creating a recycle.conf file. That option has been broken for some time, and you need to put all the definitions into smb.conf directly. Check the last post on this page for the syntax; http://ubuntuforums.org/showthread.php?t=155763page=2 -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samba Permissions - Sanity check
On Thursday 19 February 2009 04:29:03 pm MHR wrote: On Thu, Feb 19, 2009 at 12:15 PM, nate cen...@linuxpowered.net wrote: Tim Nelson wrote: I've been around and around on this topic and I'm just hoping someone can give me a little sanity by confirming 'yay or nay' whether this is possible or not. It may be possible to prevent them from deleting a file, but if they have write access it wouldn't be possible from effectively deleting the file by wiping it's contents(truncating it). However, file creation and deletion are functions of the directory permissions where the file resides. If a directory allows a user to write to it, they can create and delete files in that directory with reckless abandon. There are probably some intricate ways around this particular problem, but they can get pretty complicated really fast. I've always 'enjoyed' the solutions the samba team found for interoperability. Here's a good reference that provides the juicy details: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html Makes me shudder just to read it again . . . A == HTH. mhr ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- This message has been scanned for viruses and dangerous content by Avantel Systems, and is believed to be clean. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samba Permissions - Sanity check
Tim Nelson wrote on Thu, 19 Feb 2009 13:54:41 -0600 (CST): I have a particular user who claims Samba has the ability to allow users to create/edit/modify existing files of a share but NOT delete them. Not samba-specific. The sticky bit could help in this if I recall right. If you regularly reown the files to root users will still be able to create and edit, but not delete (unless in the short time until next reown). There might also be extended ACL that could do that. And setgid might be able to help in this mix as well. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
