Re: [Samba] sticky bit, etc.

Thu, 31 Oct 2002 05:52:28 -0800

Problem is, with standard unix permissions, renaming a file is a matter of writing to the directory. šYou can have a file owned by root:root and chmodded to 000, and any non-priveledged user would still be able to rename that file if they had write access to the directory. šIf a user has enough access to create a file in the directory, they have enough access to rename files in that directory... for more fine-tuning you need to bring ACL's into the mix.

~ Daniel

[EMAIL PROTECTED] wrote:

jef dodson wrote:
ok, that works to disallow non-owners from renaming the file, but what I would
like to do is disallow EVERYONE ( including the owner of the file ) from
editing, moving, or changing the filename once it is created.  the only person
who should be able to make those changes is a special user.  any ideas about
how to accomplish that?  Thanks.


Yeah, I realized that after I pressed Enter...
To me it looks like it can be done with ACLs only.
Or you can try postexec or cron script that will change ownership on the
files.
Looks kinda ugly, but it should work.

--- Yura Pismerov <[EMAIL PROTECTED]> wrote:

Yura Pismerov wrote:
jef dodson wrote:
I have a question about samba and sticky bits.  I have a share with the
following configuration:

[documents]
  comment = documents
  path = /shares/documents
  public = no
  writeable = yes
  printable = no
  valid users = @lan1
  force user = docadmin
^^^^^^^^^^^^^^^^^^^^^^^^^^^

        That is why.
        No matter what username is, it will be forced to docadmin, so the
sticky bit does not make much sense since the user who is manipulating
the file is the owner of the file form the OS point of view.
        To achieve what you want you need to remove "force user".

      Yeah, and create mode should be 0640 in this case.

  force group = lan1
  create mode = 0440
  force create mode = 0440
  directory mode = 1770
  force directory mode = 1770
  delete read only = no

I also have the sticky bit set on /shares/documents.

Now, when I drop the file 'test.txt' in the directory, it has the
following
permissions:

-r--r-----    1 docadmin lan1            4 Oct 29 17:45 test.txt

Now, When I login to the server via ssh as jdodson, the sticky bit on the
directory prevents me from renaming the test.txt file.  However, when I
login
to the server from windows as jdodson, I can change the filename and move
the
file to another directory.  So, it seems that samba is ignoring the
sticky bit
on the /shares/documents directory.

The ultimate goal for the behavior of the directory is this:

when someone drops a file in the directory or subdirectory, it becomes
read-only so that it can't be edited, moved, or renamed by anyone except
for a
special user with admin priveleges.

__________________________________________________
Do you Yahoo!?
HotJobs - Search new jobs daily now
http://hotjobs.yahoo.com/
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba
__________________________________________________
Do you Yahoo!?
HotJobs - Search new jobs daily now
http://hotjobs.yahoo.com/
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Reply via email to