Re: Restricting delete on a share?

[Simo Sorce]

Jeremy,
the best way you can accomplish this is to build a custom VFS module.
It is really easy to build such module and you only need to intercept
and discard any unlink operation.

regards,
Simo.


On Mon, 2003-03-10 at 07:04, Jeremy M. Dolan wrote:
> Hi all.
> 
> Management here wants to restrict users from deleting files via Samba.
> NTFS is able to restrict just delete permissions, but still allow new
> files to be created and old ones changed. But I've come to the
> conclusion this isn't possible with standard UNIX file permissions,
> and unfortunately Red Hat does not yet support ACLs on any file
> systems.
> 
> In Samba's documentation I don't see any indication that a delete=no
> type option exists for shares, which surprised me. Am I missing
> something?
> 
> If not, is there perhaps a compile-time directive to disallow file
> deletion?
> 
> Otherwise, could someone perhaps point me to what I'd want to change
> in the source to accomplish this?
> 
> Thanks.
-- 
Simo Sorce - [EMAIL PROTECTED]
Xsec s.r.l.
via Durando 10 Ed. G - 20158 - Milano
tel. +39 02 2399 7130 - fax: +39 02 700 442 399


signature.asc
Description: This is a digitally signed message part

Re: Restricting delete on a share?

[Volker Lendecke]

On Mon, Mar 10, 2003 at 06:37:26PM +1100, Andrew Bartlett wrote:
> Just remember that doing this doesn't actually gain you anything - the
> users can still write garbage into the file, or make them zero length. 

And, remember how Word saves files: New file, delete old, rename new to old.
Lately I tried to give Word write access to a file and remove write access to
the containing directory. With this setup it will refuse to save it.

I'd be VERY curious how Novell does this.

Volker


pgp0.pgp
Description: PGP signature

Re: Restricting delete on a share?

[Andrew Bartlett]

On Mon, 2003-03-10 at 18:50, Stefan (metze) Metzmacher wrote:
> At 18:37 10.03.2003 +1100, Andrew Bartlett wrote:
> >On Mon, 2003-03-10 at 18:02, Stefan (metze) Metzmacher wrote:
> > > At 00:04 10.03.2003 -0600, Jeremy M. Dolan wrote:
> > > >Hi all.
> > > >
> > > >Management here wants to restrict users from deleting files via Samba.
> > > >NTFS is able to restrict just delete permissions, but still allow new
> > > >files to be created and old ones changed.
> 
> Andrew, read two lines above... :-)

I know :-).  It's amazing how much effort goes into keeping management
happy rather than securing systems...

Andrew Bartlett
 
-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net


signature.asc
Description: This is a digitally signed message part

Re: Restricting delete on a share?

[Stefan (metze) Metzmacher]

At 18:37 10.03.2003 +1100, Andrew Bartlett wrote:
On Mon, 2003-03-10 at 18:02, Stefan (metze) Metzmacher wrote:
> At 00:04 10.03.2003 -0600, Jeremy M. Dolan wrote:
> >Hi all.
> >
> >Management here wants to restrict users from deleting files via Samba.
> >NTFS is able to restrict just delete permissions, but still allow new
> >files to be created and old ones changed.
Andrew, read two lines above... :-)

> you can write a vfs module that overloads the unlink function and returns
> access denied when the unlink function is called.
Just remember that doing this doesn't actually gain you anything - the
users can still write garbage into the file, or make them zero length.
So the option you are looking for is 'read only = yes' ;-)


metze
-
Stefan "metze" Metzmacher <[EMAIL PROTECTED]> 

Re: Restricting delete on a share?

[Andrew Bartlett]

On Mon, 2003-03-10 at 18:02, Stefan (metze) Metzmacher wrote:
> At 00:04 10.03.2003 -0600, Jeremy M. Dolan wrote:
> >Hi all.
> >
> >Management here wants to restrict users from deleting files via Samba.
> >NTFS is able to restrict just delete permissions, but still allow new
> >files to be created and old ones changed. But I've come to the
> >conclusion this isn't possible with standard UNIX file permissions,
> >and unfortunately Red Hat does not yet support ACLs on any file
> >systems.
> >
> >In Samba's documentation I don't see any indication that a delete=no
> >type option exists for shares, which surprised me. Am I missing
> >something?
> >
> >If not, is there perhaps a compile-time directive to disallow file
> >deletion?
> >
> >Otherwise, could someone perhaps point me to what I'd want to change
> >in the source to accomplish this?
> 
> you can write a vfs module that overloads the unlink function and returns 
> access denied when the unlink function is called.

Just remember that doing this doesn't actually gain you anything - the
users can still write garbage into the file, or make them zero length. 

So the option you are looking for is 'read only = yes' ;-)

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net


signature.asc
Description: This is a digitally signed message part

Re: Restricting delete on a share?

[Stefan (metze) Metzmacher]

At 00:04 10.03.2003 -0600, Jeremy M. Dolan wrote:
Hi all.

Management here wants to restrict users from deleting files via Samba.
NTFS is able to restrict just delete permissions, but still allow new
files to be created and old ones changed. But I've come to the
conclusion this isn't possible with standard UNIX file permissions,
and unfortunately Red Hat does not yet support ACLs on any file
systems.
In Samba's documentation I don't see any indication that a delete=no
type option exists for shares, which surprised me. Am I missing
something?
If not, is there perhaps a compile-time directive to disallow file
deletion?
Otherwise, could someone perhaps point me to what I'd want to change
in the source to accomplish this?
you can write a vfs module that overloads the unlink function and returns 
access denied when the unlink function is called.

metze
-
Stefan "metze" Metzmacher <[EMAIL PROTECTED]> 

Restricting delete on a share?

[Jeremy M. Dolan]

Hi all.

Management here wants to restrict users from deleting files via Samba.
NTFS is able to restrict just delete permissions, but still allow new
files to be created and old ones changed. But I've come to the
conclusion this isn't possible with standard UNIX file permissions,
and unfortunately Red Hat does not yet support ACLs on any file
systems.

In Samba's documentation I don't see any indication that a delete=no
type option exists for shares, which surprised me. Am I missing
something?

If not, is there perhaps a compile-time directive to disallow file
deletion?

Otherwise, could someone perhaps point me to what I'd want to change
in the source to accomplish this?

Thanks.

-- 
Jeremy M. Dolan  
PGP: 1024D/3C68A1BA 9470 210C A476 FFBB 6D11  0223 0D1C ABFC 3C68 A1BA