On Wed, Jan 28, 2009 at 2:03 PM, Ryan Stille <[email protected]> wrote:
> ...I was forcing the group "nobody" because I need files that are created > through the samba share to be editable by the web server. For this purpose, I would use the "www-data" group or something similar. The "nobody" group, in my mind, should not be able to do much of anything, but perhaps that's a matter of preference. > Would you suggest just adding "nobody" to the "users" group? This wouldn't help you. You are forcing samba to use the group "nobody", but the files are not owned by the group "nobody". When forcing the user and group, you need to 1) make the forced user match the owner of the files or 2) make the forced group match the group that owns the files. Otherwise, your authenticated user only has access to the world permissions because he/she is not the owner or group that corresponds with the files in question. I would suggest thinking about the following: 1. Who should own the files? This is currently "root". You don't want Samba to use the root account (for security reasons), so you cannot use the owner permissions on the files and directories to determine what an authenticated Samba user can or can't do. If you find that another owner would make sense, then you can chown the files and make the "force user" directive match. 2. What group should own the files? It sounds like you need a group that both the authenticated Samba user and the web server user are a part of. I personally would not use "nobody", and even the "users" group has fairly widespread permissions for my taste. I prefer a web server operating under the "www-data" group, so I would chgrp the files and directories within the share to this account and use the "force group = www-data" directive to allow the authenticated Samba user to perform operations on this share using the filesystem group permissions. -Kyle -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
