Re: [Samba] sticky bit, etc.
Problem is, with standard unix permissions, renaming a file is a matter of writing to the directory. You can have a file owned by root:root and chmodded to 000, and any non-priveledged user would still be able to rename that file if they had write access to the directory. If a user has enough access to create a file in the directory, they have enough access to rename files in that directory... for more fine-tuning you need to bring ACL's into the mix. ~ Daniel [EMAIL PROTECTED] wrote: jef dodson wrote: ok, that works to disallow non-owners from renaming the file, but what I wouldlike to do is disallow EVERYONE ( including the owner of the file ) fromediting, moving, or changing the filename once it is created. the only personwho should be able to make those changes is a special user. any ideas abouthow to accomplish that? Thanks. Yeah, I realized that after I pressed Enter...To me it looks like it can be done with ACLs only.Or you can try postexec or cron script that will change ownership on thefiles.Looks kinda ugly, but it should work. --- Yura Pismerov [EMAIL PROTECTED] wrote: Yura Pismerov wrote: jef dodson wrote: I have a question about samba and sticky bits. I have a share with thefollowing configuration:[documents] comment = documents path = /shares/documents public = no writeable = yes printable = no valid users = @lan1 force user = docadmin ^^^That is why.No matter what username is, it will be forced to docadmin, so thesticky bit does not make much sense since the user who is manipulatingthe file is the owner of the file form the OS point of view.To achieve what you want you need to remove "force user". Yeah, and create mode should be 0640 in this case. force group = lan1 create mode = 0440 force create mode = 0440 directory mode = 1770 force directory mode = 1770 delete read only = noI also have the sticky bit set on /shares/documents.Now, when I drop the file 'test.txt' in the directory, it has the following permissions:-r--r-1 docadmin lan14 Oct 29 17:45 test.txtNow, When I login to the server via ssh as jdodson, the sticky bit on thedirectory prevents me from renaming the test.txt file. However, when I login to the server from windows as jdodson, I can change the filename and move the file to another directory. So, it seems that samba is ignoring the sticky bit on the /shares/documents directory.The ultimate goal for the behavior of the directory is this:when someone drops a file in the directory or subdirectory, it becomesread-only so that it can't be edited, moved, or renamed by anyone except for a special user with admin priveleges.__Do you Yahoo!?HotJobs - Search new jobs daily nowhttp://hotjobs.yahoo.com/--To unsubscribe from this list go to the following URL and read theinstructions: http://lists.samba.org/mailman/listinfo/samba --To unsubscribe from this list go to the following URL and read theinstructions: http://lists.samba.org/mailman/listinfo/samba __Do you Yahoo!?HotJobs - Search new jobs daily nowhttp://hotjobs.yahoo.com/--To unsubscribe from this list go to the following URL and read theinstructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] sticky bit, etc.
jef dodson wrote: I have a question about samba and sticky bits. I have a share with the following configuration: [documents] comment = documents path = /shares/documents public = no writeable = yes printable = no valid users = lan1 force user = docadmin ^^^ That is why. No matter what username is, it will be forced to docadmin, so the sticky bit does not make much sense since the user who is manipulating the file is the owner of the file form the OS point of view. To achieve what you want you need to remove force user. force group = lan1 create mode = 0440 force create mode = 0440 directory mode = 1770 force directory mode = 1770 delete read only = no I also have the sticky bit set on /shares/documents. Now, when I drop the file 'test.txt' in the directory, it has the following permissions: -r--r-1 docadmin lan14 Oct 29 17:45 test.txt Now, When I login to the server via ssh as jdodson, the sticky bit on the directory prevents me from renaming the test.txt file. However, when I login to the server from windows as jdodson, I can change the filename and move the file to another directory. So, it seems that samba is ignoring the sticky bit on the /shares/documents directory. The ultimate goal for the behavior of the directory is this: when someone drops a file in the directory or subdirectory, it becomes read-only so that it can't be edited, moved, or renamed by anyone except for a special user with admin priveleges. __ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] sticky bit, etc.
Yura Pismerov wrote: jef dodson wrote: I have a question about samba and sticky bits. I have a share with the following configuration: [documents] comment = documents path = /shares/documents public = no writeable = yes printable = no valid users = lan1 force user = docadmin ^^^ That is why. No matter what username is, it will be forced to docadmin, so the sticky bit does not make much sense since the user who is manipulating the file is the owner of the file form the OS point of view. To achieve what you want you need to remove force user. Yeah, and create mode should be 0640 in this case. force group = lan1 create mode = 0440 force create mode = 0440 directory mode = 1770 force directory mode = 1770 delete read only = no I also have the sticky bit set on /shares/documents. Now, when I drop the file 'test.txt' in the directory, it has the following permissions: -r--r-1 docadmin lan14 Oct 29 17:45 test.txt Now, When I login to the server via ssh as jdodson, the sticky bit on the directory prevents me from renaming the test.txt file. However, when I login to the server from windows as jdodson, I can change the filename and move the file to another directory. So, it seems that samba is ignoring the sticky bit on the /shares/documents directory. The ultimate goal for the behavior of the directory is this: when someone drops a file in the directory or subdirectory, it becomes read-only so that it can't be edited, moved, or renamed by anyone except for a special user with admin priveleges. __ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] sticky bit, etc.
ok, that works to disallow non-owners from renaming the file, but what I would like to do is disallow EVERYONE ( including the owner of the file ) from editing, moving, or changing the filename once it is created. the only person who should be able to make those changes is a special user. any ideas about how to accomplish that? Thanks. --- Yura Pismerov [EMAIL PROTECTED] wrote: Yura Pismerov wrote: jef dodson wrote: I have a question about samba and sticky bits. I have a share with the following configuration: [documents] comment = documents path = /shares/documents public = no writeable = yes printable = no valid users = @lan1 force user = docadmin ^^^ That is why. No matter what username is, it will be forced to docadmin, so the sticky bit does not make much sense since the user who is manipulating the file is the owner of the file form the OS point of view. To achieve what you want you need to remove force user. Yeah, and create mode should be 0640 in this case. force group = lan1 create mode = 0440 force create mode = 0440 directory mode = 1770 force directory mode = 1770 delete read only = no I also have the sticky bit set on /shares/documents. Now, when I drop the file 'test.txt' in the directory, it has the following permissions: -r--r-1 docadmin lan14 Oct 29 17:45 test.txt Now, When I login to the server via ssh as jdodson, the sticky bit on the directory prevents me from renaming the test.txt file. However, when I login to the server from windows as jdodson, I can change the filename and move the file to another directory. So, it seems that samba is ignoring the sticky bit on the /shares/documents directory. The ultimate goal for the behavior of the directory is this: when someone drops a file in the directory or subdirectory, it becomes read-only so that it can't be edited, moved, or renamed by anyone except for a special user with admin priveleges. __ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba __ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] sticky bit, etc.
jef dodson wrote: ok, that works to disallow non-owners from renaming the file, but what I would like to do is disallow EVERYONE ( including the owner of the file ) from editing, moving, or changing the filename once it is created. the only person who should be able to make those changes is a special user. any ideas about how to accomplish that? Thanks. Yeah, I realized that after I pressed Enter... To me it looks like it can be done with ACLs only. Or you can try postexec or cron script that will change ownership on the files. Looks kinda ugly, but it should work. --- Yura Pismerov [EMAIL PROTECTED] wrote: Yura Pismerov wrote: jef dodson wrote: I have a question about samba and sticky bits. I have a share with the following configuration: [documents] comment = documents path = /shares/documents public = no writeable = yes printable = no valid users = @lan1 force user = docadmin ^^^ That is why. No matter what username is, it will be forced to docadmin, so the sticky bit does not make much sense since the user who is manipulating the file is the owner of the file form the OS point of view. To achieve what you want you need to remove force user. Yeah, and create mode should be 0640 in this case. force group = lan1 create mode = 0440 force create mode = 0440 directory mode = 1770 force directory mode = 1770 delete read only = no I also have the sticky bit set on /shares/documents. Now, when I drop the file 'test.txt' in the directory, it has the following permissions: -r--r-1 docadmin lan14 Oct 29 17:45 test.txt Now, When I login to the server via ssh as jdodson, the sticky bit on the directory prevents me from renaming the test.txt file. However, when I login to the server from windows as jdodson, I can change the filename and move the file to another directory. So, it seems that samba is ignoring the sticky bit on the /shares/documents directory. The ultimate goal for the behavior of the directory is this: when someone drops a file in the directory or subdirectory, it becomes read-only so that it can't be edited, moved, or renamed by anyone except for a special user with admin priveleges. __ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba __ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba