On Mon, 2008-09-15 at 15:40 -0700, Jeremy Allison wrote: > On Mon, Sep 15, 2008 at 01:57:55PM -0700, Steve Rippl wrote: > > Hi, > > > > We've just put in a Samba fileserver to replace our windows box for our > > School District and it seems to be working great. I have a question > > about defining some specific permissions though. We set up 'Drop boxes' > > for teachers that kids can drag files into, but they don't have read > > permission so they can't read each others submitted work. Here's what > > is looks like on the fileserver > > > > [EMAIL PROTECTED]:/srv/materials/WHS/VanCleek# getfacl Drop_Box/ > > # file: Drop_Box > > # owner: admin > > # group: domain\040admins > > user::rwx > > user:vancleek:rwx > > group::rwx > > group:whs\040student:-wx > > mask::rwx > > other::--- > > default:user::rwx > > default:user:vancleek:rwx > > default:group::rwx > > default:group:whs\040student:-wx > > default:mask::rwx > > default:other::--- > > > > and the view through windows security tab shows Traverse folder/Create > > Files/Write Attributes/Write Extended Attributes/Read permissions. > > Needless to say this doesn't seem to work! The student account (in the > > right group) is not allowed to drop a file into that folder. If I add > > g:wsd\\whs\ Student:rwx then the student can do anything sucessfully, > > with -wx nothing?!! > > > > Can anyone help? > > Ok, the problem is that students need to be able to read > the containing directory in order to be able to drag and > drop new files there. The reason is that Samba needs to > be able to scan the directory on their behalf in order > to do case insensitive lookups. > > But so long as you don't mind allowing the students to > see the names of each others files, you can set up a > DropBox so that students can write into it (and their > own files) but not edit or see others files. > > Firstly, you want to make sure that files created in > the DropBox directory are not owned by the student's > primary group, but by the group owner of the DropBox > direcotry. So : > > chgrp teachers DropBox > > to make it owned by the teachers group. Then set the > setgid bit on the DropBox directory to make sure > that files created within there have an owning group > of teachers. > > chmod g+s DropBox > > Then ensure that a file in DropBox can be renamed > or deleted by only the owner of the file, or by the > owner of the directory, or by root (same permissions > that /tmp has). > > chmod +t DropBox > > Then allow students to write into the directory > by adding an ACL > > setfacl -m g:students:rwx DropBox > > So long as the defaul acl is set so that "others" > have no permissions, files written by a student > into that directory will be owned by themselves > but will have an owning group of "teachers", and > students will not be able to read each others > files. > > If you need to be cause the files to be owned > by the owner of the directory, not by the students > who created them you need to set up a separate > share as described above, but then add the > share level parameter : > > inherit owner = yes > > which will cause files created within the > directories in that share to be owned by > the containing directory, not the creating > owner. > > Hope this helps, > > Jeremy.
Works like a charm! Many thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba