On Wed, Aug 27, 2008 at 1:07 PM, Roger Searle <[EMAIL PROTECTED]> wrote: > Nick Rout wrote: >> >> On Wed, Aug 27, 2008 at 10:28 AM, Roger Searle <[EMAIL PROTECTED]> >> wrote: >> >>> >>> Hi, subject line is what I originally thought was going on. I have a >>> hardy >>> machine sharing a couple of folders via samba. Various users assigned to >>> various groups, ownership and permissions set up and working well, for >>> example: >>> >>> [EMAIL PROTECTED]:~/documents$ ls -l | grep pay >>> drwxrwx--- 6 roger management 4096 2008-08-20 11:31 payroll >>> >>> and as expected roger and members of the management group have read/write >>> access to the payroll folder, and others get "permission denied". Good. >>> Except, I have found that from 2 XP workstations, 2 different users (1 >>> per >>> workstation) are able to connect to the entire share appearing to >>> disregard >>> this, the logged on username is NOT roger, nor is the user in the >>> management >>> group, yet has full access to that particular folder. Bit of a worry, >>> definitely not what I was expecting... >>> >> >> Are they in the coordinators group? >> >> valid users = roger, @coordinators, @management >> > > No, they are not in the coordinators group. Anyway, given that "valid > users" is a general share definition, I would expect all members of the > coordinators group (were that the only group they are in) to be denied > access to that folder based on the permissions being 770. And that is > indeed the case for the members of that group. >> >> <snip> >> Anyway, back to the problem in hand. After checking the coordinators >> group, consider this scenario, bearing in mind that I don't fully >> understand windows in that it's results in this area seem to be >> inconsistent (and may vary between versions, including between xp home >> and pro). >> >> If roger goes and sits at another user's (lets call him ben) xp >> machine which is logged in as ben, and wants to access the [data] >> share on \\hardy, he might go to "my network drives" and add the >> share, intending it to only be a temporary measure while he needs to >> test something. As part of this he authorises himself on \\hardy\data >> as roger/roger's password. This will work, and so it should. >> >> But how long does this authorisation stick around? Can ben go back >> later and still access \\hardy\data ? In some cases these "network >> places" seem to stick around a while. >> >> Sorry I am not really answering the question, merely rasing a possibility. >> >> > > Indeed that is exactly the situation. And I too have been considering that > exact issue but do not have good answers at this point. I appreciate that > really it is an issue with the way Windows is authenticating and so not > strictly relevant on this list. It is though at least as relevant as other > questions posed from time to time, since it relates to a Hardy box. I could > always work around the issue on those XP workstations by modifying/creating > user accounts but am first examining from the linux side. I am only talking > about 2 user accounts on 2 computers, but it's the principle I'm interested > in understanding. And I may not want them looking in my own private folder, > which currently they would be able to do! >
Well if you did what I described you gave the other user (ben in my example) your password, so you shouldn't be surprised if he can access your data. > It's clear that while samba is simple to set up and configure it can also be > complex and highly configurable so am looking for input from the experienced > eyes of this list. > Roger > > If it as we surmise, then its nothing to do with samba and everything to do with the windows client (and you giving away your password :-) )
