Greetings list-
I have a Samba-centric question to ask. I have a particular user who claims Samba has the ability to allow users to create/edit/modify existing files of a share but NOT delete them. To my knowledge, the aforementioned permissions require the user to have write access to the share which *ALSO* gives them the ability to delete files as well.
The Samba server is nothing special, simply the latest Samba running on CentOS 5, ext3 filesystem.
I've been around and around on this topic and I'm just hoping someone can give me a little sanity by confirming 'yay or nay' whether this is possible or not.
--Tim
on 2-19-2009 11:54 AM Tim Nelson spake the following:
Greetings list-
I have a Samba-centric question to ask. I have a particular user who claims Samba has the ability to allow users to create/edit/modify existing files of a share but NOT delete them. To my knowledge, the aforementioned permissions require the user to have write access to the share which *ALSO* gives them the ability to delete files as well.
The Samba server is nothing special, simply the latest Samba running on CentOS 5, ext3 filesystem.
I've been around and around on this topic and I'm just hoping someone can give me a little sanity by confirming 'yay or nay' whether this is possible or not.
--Tim
It is possible that a user can create a file that another user can't delete. But a user should be able to delete anything he/she created.
Tim Nelson wrote:
I've been around and around on this topic and I'm just hoping someone can give me a little sanity by confirming 'yay or nay' whether this is possible or not.
It may be possible to prevent them from deleting a file, but if they have write access it wouldn't be possible from effectively deleting the file by wiping it's contents(truncating it).
nate
On Thu, Feb 19, 2009 at 12:15 PM, nate centos@linuxpowered.net wrote:
Tim Nelson wrote:
I've been around and around on this topic and I'm just hoping someone can give me a little sanity by confirming 'yay or nay' whether this is possible or not.
It may be possible to prevent them from deleting a file, but if they have write access it wouldn't be possible from effectively deleting the file by wiping it's contents(truncating it).
However, file creation and deletion are functions of the directory permissions where the file resides. If a directory allows a user to write to it, they can create and delete files in that directory with reckless abandon.
There are probably some intricate ways around this particular problem, but they can get pretty complicated really fast.
HTH.
mhr
----- "MHR" mhullrich@gmail.com wrote:
On Thu, Feb 19, 2009 at 12:15 PM, nate centos@linuxpowered.net wrote:
Tim Nelson wrote:
I've been around and around on this topic and I'm just hoping
someone can
give me a little sanity by confirming 'yay or nay' whether this is
possible
or not.
It may be possible to prevent them from deleting a file, but if
they
have write access it wouldn't be possible from effectively deleting the file by wiping it's contents(truncating it).
However, file creation and deletion are functions of the directory permissions where the file resides. If a directory allows a user to write to it, they can create and delete files in that directory with reckless abandon.
There are probably some intricate ways around this particular problem, but they can get pretty complicated really fast.
HTH.
mhr
I've been trying to devise a way around this problem and as you mentioned, it gets extremely complicated quickly. It's even more complicated than allowing users to delete files and restoring the file from a backup set. Well, at least I don't feel I'm going insane anymore (for now...).
Thank you to all who responded.
--Tim
on 2-19-2009 1:31 PM Tim Nelson spake the following:
----- "MHR" mhullrich@gmail.com wrote:
On Thu, Feb 19, 2009 at 12:15 PM, nate centos-T6AQWPvKiI1cRAk/VAjCeQ@public.gmane.org wrote:
Tim Nelson wrote:
I've been around and around on this topic and I'm just hoping
someone can
give me a little sanity by confirming 'yay or nay' whether this is
possible
or not.
It may be possible to prevent them from deleting a file, but if
they
have write access it wouldn't be possible from effectively deleting the file by wiping it's contents(truncating it).
However, file creation and deletion are functions of the directory permissions where the file resides. If a directory allows a user to write to it, they can create and delete files in that directory with reckless abandon.
There are probably some intricate ways around this particular problem, but they can get pretty complicated really fast.
HTH.
mhr
I've been trying to devise a way around this problem and as you mentioned, it gets extremely complicated quickly. It's even more complicated than allowing users to delete files and restoring the file from a backup set. Well, at least I don't feel I'm going insane anymore (for now...).
Thank you to all who responded.
--Tim
I have enabled the recycle bin vfs object on my systems. That way a user has to really try and delete a file to make it go away. Like windows, they would have to delete it, go look in the recycle bin (that you can hide) and delete it again. It has saved me many hours of recovering stuff.
----- "Scott Silva" ssilva@sgvwater.com wrote:
on 2-19-2009 1:31 PM Tim Nelson spake the following:
----- "MHR" mhullrich@gmail.com wrote:
On Thu, Feb 19, 2009 at 12:15 PM, nate
centos-T6AQWPvKiI1cRAk/VAjCeQ@public.gmane.org
wrote:
Tim Nelson wrote:
I've been around and around on this topic and I'm just hoping
someone can
give me a little sanity by confirming 'yay or nay' whether this
is
possible
or not.
It may be possible to prevent them from deleting a file, but if
they
have write access it wouldn't be possible from effectively
deleting
the file by wiping it's contents(truncating it).
However, file creation and deletion are functions of the directory permissions where the file resides. If a directory allows a user
to
write to it, they can create and delete files in that directory
with
reckless abandon.
There are probably some intricate ways around this particular problem, but they can get pretty complicated really fast.
HTH.
mhr
I've been trying to devise a way around this problem and as you
mentioned, it gets extremely complicated quickly. It's even more complicated than allowing users to delete files and restoring the file from a backup set. Well, at least I don't feel I'm going insane anymore (for now...).
Thank you to all who responded.
--Tim
I have enabled the recycle bin vfs object on my systems. That way a user has to really try and delete a file to make it go away. Like windows, they would have to delete it, go look in the recycle bin (that you can hide) and delete it again. It has saved me many hours of recovering stuff.
Ooooooo! This may indeed be a partial solution. 'Administrators' could have access to the Recycle Bin to restore deleted items where 'users' would not have access. Interesting...
--Tim
on 2-19-2009 1:53 PM Tim Nelson spake the following:
----- "Scott Silva" ssilva@sgvwater.com wrote:
on 2-19-2009 1:31 PM Tim Nelson spake the following:
----- "MHR" mhullrich@gmail.com wrote:
On Thu, Feb 19, 2009 at 12:15 PM, nate
centos-T6AQWPvKiI1cRAk/VAjCeQ@public.gmane.org
wrote:
Tim Nelson wrote:
I've been around and around on this topic and I'm just hoping
someone can
give me a little sanity by confirming 'yay or nay' whether this
is
possible
or not.
It may be possible to prevent them from deleting a file, but if
they
have write access it wouldn't be possible from effectively
deleting
the file by wiping it's contents(truncating it).
However, file creation and deletion are functions of the directory permissions where the file resides. If a directory allows a user
to
write to it, they can create and delete files in that directory
with
reckless abandon.
There are probably some intricate ways around this particular problem, but they can get pretty complicated really fast.
HTH.
mhr
I've been trying to devise a way around this problem and as you
mentioned, it gets extremely complicated quickly. It's even more complicated than allowing users to delete files and restoring the file from a backup set. Well, at least I don't feel I'm going insane anymore (for now...).
Thank you to all who responded.
--Tim
I have enabled the recycle bin vfs object on my systems. That way a user has to really try and delete a file to make it go away. Like windows, they would have to delete it, go look in the recycle bin (that you can hide) and delete it again. It has saved me many hours of recovering stuff.
Ooooooo! This may indeed be a partial solution. 'Administrators' could have access to the Recycle Bin to restore deleted items where 'users' would not have access. Interesting...
--Tim
And you can also set it to keep versions of deleted files. Pretty cool! But beware of most of the docs on the internet that mention creating a "recycle.conf" file. That option has been broken for some time, and you need to put all the definitions into smb.conf directly.
Check the last post on this page for the syntax;
http://ubuntuforums.org/showthread.php?t=155763&page=2
Tim Nelson wrote:
It may be possible to prevent them from deleting a file, but if
they
have write access it wouldn't be possible from effectively deleting the file by wiping it's contents(truncating it).
However, file creation and deletion are functions of the directory permissions where the file resides. If a directory allows a user to write to it, they can create and delete files in that directory with reckless abandon.
There are probably some intricate ways around this particular problem, but they can get pretty complicated really fast.
I've been trying to devise a way around this problem and as you mentioned, it gets extremely complicated quickly. It's even more complicated than allowing users to delete files and restoring the file from a backup set. Well, at least I don't feel I'm going insane anymore (for now...).
Thank you to all who responded.
If you really want a versioning facility where you can commit things to a repository in a way that any version ever committed can be recalled, look at subversion or similar systems (and use the server setup, don't let users have write access through the filesystem). There are cross platform tools for subversion that you can use instead of samba.
If nightly backups are sufficient, look at backuppc (http://backuppc.sourceforge.net/). It makes the restores as simple as selecting what you want in a web interface and is very efficient with the required on-line disk space.
On Thursday 19 February 2009 04:29:03 pm MHR wrote:
On Thu, Feb 19, 2009 at 12:15 PM, nate centos@linuxpowered.net wrote:
Tim Nelson wrote:
I've been around and around on this topic and I'm just hoping someone can give me a little sanity by confirming 'yay or nay' whether this is possible or not.
It may be possible to prevent them from deleting a file, but if they have write access it wouldn't be possible from effectively deleting the file by wiping it's contents(truncating it).
However, file creation and deletion are functions of the directory permissions where the file resides. If a directory allows a user to write to it, they can create and delete files in that directory with reckless abandon.
There are probably some intricate ways around this particular problem, but they can get pretty complicated really fast.
I've always 'enjoyed' the solutions the samba team found for interoperability. Here's a good reference that provides the juicy details:
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.ht...
Makes me shudder just to read it again . . .
A ==
HTH.
mhr _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I've always 'enjoyed' the solutions the samba team found for interoperability. Here's a good reference that provides the juicy details:
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.ht...
Makes me shudder just to read it again . . .
A
Ugh. Well, I did find an 'interesting' paragraph from the page you referencedthat seems to sum up my problem:
--BEGIN-- Protecting Directories and Files from Deletion People have asked on the Samba mailing list how is it possible to protect files or directories from deletion by users. For example, Windows NT/2K/XP provides the capacity to set access controls on a directory into which people can write files but not delete them. It is possible to set an ACL on a Windows file that permits the file to be written to but not deleted. Such concepts are foreign to the UNIX operating system file space. Within the UNIX file system anyone who has the ability to create a file can write to it. Anyone who has write permission on the directory that contains a file and has write permission for it has the capability to delete it. --END--
--Tim
Tim Nelson wrote on Thu, 19 Feb 2009 13:54:41 -0600 (CST):
I have a particular user who claims Samba has the ability to allow users to create/edit/modify existing files of a share but NOT delete them.
Not samba-specific. The sticky bit could help in this if I recall right. If you regularly reown the files to root users will still be able to create and edit, but not delete (unless in the short time until next reown). There might also be extended ACL that could do that. And setgid might be able to help in this mix as well.
Kai
-
Alex H. Vandenham -
Kai Schaetzl -
Les Mikesell -
MHR -
nate -
Scott Silva -
Tim Nelson