[Gllug] Getting required read / write / access permissions

Bruce Richardson itsbruce at workshy.org
Wed Apr 6 09:00:18 UTC 2011

On Wed, Apr 06, 2011 at 09:40:04AM +0100, Chris Bell wrote:
> Hello,
>    I am trying to get the correct access permissions automatically for a
> number of users accessing a server running Debian Lenny at present, with all
> users accessing the server from Microsoft PCs via Samba. The requirements
> are personal home directories with R/W access only by the owner,

Very simple and standard to create in samba.  The example configs should
be sufficient.

> a directory
> with full recursive R/W access to all files to all, but only all, on a
> restricted list, plus a directory with full recursive R/W access to all
> listed users.

Are these to be separate shares or two directories on the same share?
If the latter, then POSIX acls are possibly the best tool.

> Individual users need to be able to create sub-directories and
> new files. [ snip ] It would be best if shared files can not be
> deleted once created.

That last bit is simply not possible.  If users have sufficient
permissions to create files, they have sufficient to delete them.  It is
possible to set up a situation where users can modify the contents of
files but not create, rename or delete them but that's very little use
in real life.

> Some users also need access from their normal computers via
> OpenVPN. 

That doesn't make much sense.  OpenVPN gives people access to a network,
not to a computer's files.  How are the OpenVPN users going to be
accessing the files after they have gained access to the network via

>    I have created two additional groups (not users), one restricted, the
> other to include all. I have edited /etc/samba/smb.conf to set access
> permissions to 770 on each of the directories, together with the required
> user lists for each. 

Can you post the relevant parts of smb.conf?  Anything relating to
access permissions in the global config, plus the share sections.

> If I look at man chmod I see that I can specify 770 but
> there are six possible attributes, rwxXst, and when I use ls -al I only see
> three.

I think you need to read up on Unix file permissions and then re-read
the chmod man page.


>    I am still being told that not all the required users have write access
> to all neccessary new files. Have I missed something? Would Microsoft
> limited access permissions over-ride those set by Samba?

Too little information.  That would need to be looked at on a case by
case basis, eliminating problems as they are discovered, till there are
no more problems.


Get thee behind me, Stan: for it is written, thou hast gotten me into
another fine mess.  -- Oliver 4:8
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20110406/db5d37ce/attachment.pgp>
-------------- next part --------------
Gllug mailing list  -  Gllug at gllug.org.uk

More information about the GLLUG mailing list