Geek Pop Quiz, Even More Recent Samba Edition!

[theweaselking]

Really stupid question.

I have a number of samba shares.
These shares have a number of folders.
I want users to be allowed to do anything they want *inside* the folders, but not be able to move, delete, or rename the existing folders, and not create new folders.

This has to be a file permissions thing on the back end. What's the magic spell I'm looking for with chmod/chgrp so that users can create things INSIDE the folders but not touch the folders themselves?

Comments

[anivair.livejournal.com]

I'm not sure (and I'm thinking) but in the meantime, you could put a blank empty file in these folders that they have no permissions on. At least them they can't delete the folders while you're thinking.

[theweaselking.livejournal.com]

Wouldn't work. Renaming a folder can be done even with files they can't touch inside it.

However, the magic spell I was looking for was "make sure the user/group that Samba is forcing doesn't have write permission on the parent directory".

As long as the script to create directories runs itself as a user who DOES have write permissions to the parent and then sets the child correctly, it's good.

[anivair.livejournal.com]

I always thought that they needed write permissions on the directory to create files in it. is that not the case? That would totally change my perception of samba.

[theweaselking.livejournal.com]

Write permissions on the directory let you create files.

But I deny them write on the *parent*.

/parent/child/files

They have Write on the child, so they can change/delete files.
They don't have Write on the Parent, so they can't rename/delete the child.

The main issue was just making the user/group that Samba is forcing to lose write on the parent.

[anivair.livejournal.com]

Oh! Sorry, I was misunderstanding which directory you were talking about! I really should have thought of that.

sudebar: 3 new servers arrived at work today. they had the wrong power supply, so they could not be plugged in. They also had no screws or connectors to help anyone put them into our rack, despite the install being a service we paid for. The company that brought them had 2 months to get them ready and still ignored these "minor" details. It's really only tangentially related, but I didn't want to write a whole post about it. Complaining to one nerd will do.

[calysto.livejournal.com]

a chmod of drwxr-xr-x (chmod 755 foldername) gives users permission to enter a directory (folder) and view the contents within but not add or delete anything inside the directory.

a chmod of drwxrwxrwx (777) lets users rape and pillage inside of that directory til their hearts content.

But the permission to change a directory's own properties are controlled by the permissions on the preceding directory.


So if I had a file structure of /watermelon/grapefruit/ and wanted users to be able to do whatever they want inside grapefruit/ but not change grapefruit itself, I would chmod /watermelon/grapefruit to 777 and then chmod /watermelon to 755 in order to keep people from molesting the grapefruit folder itself.

People would be able to create folders behind grapefruit but not inside watermelon

then use ls -l to view the long directory listing and verify the permissions

[theweaselking.livejournal.com]

"force the samba user to be someone who doesn't have Write on the parent" is exactly what I was looking for, thanks.