Sams Teach Yourself Samba in 24 Hours
Hour 7: File Sharing
Previous
Hour
|
Sections in this Chapter: |
|
|
|
||
|
||
|
||
|
||
|
||
|
|
Sams Teach Yourself Samba in 24 Hours |
|
||||||||||||||||||||||
|
Hour 7: File Sharing |
|
||||||||||||||||||||||
|
|
||
|
As you saw in the previous section, Samba first applies large-grained access checks, such as read or write and user-based access to shares. When a requested operation, such as opening a file for read or write, has passed these access checks, it still has to satisfy normal operating system restrictions on file and directory access. These are based on the user that Samba has determined is accessing the file share.
That is, normal UNIX permissions apply to all file operations after Samba has determined accessibility.
Recall that earlier you were able to bring up the files file-1.txt and file-2.txt in Notepad. This was because they were world-readable and thus accessible by anyone. Here is a detailed listing of the share directory again:
ls -al /home/first-share total 4 drwxr-xr-x 2 root root 1024 Jan 5 14:23 . drwxr-xr-x 17 root root 1024 Jan 5 14:23 .. drwxr-xr-x 2 boss boss 1024 Jan 6 01:09 New Folder -rw-r--r-- 1 root root 69 Jan 5 14:22 file-1.txt -rw-r--r-- 1 root root 59 Jan 5 14:23 file-2.txt
As you can see, the files file-1.txt and file-2.txt have mode 0644, meaning that they are not group- or world-writable. If you try to modify those files from a client, you will be unable to. Bring one of them up in Notepad and try to modify them. When do you get an error message? It should happen when you try to save your changes. Eventually, Notepad gives you the error message shown in Figure 7.10.
Figure
7.10
Notepad cannot save file-1.txt.
This happens because of the way Notepad tries to save the file. It tries to create the file file-1.txt in the file share, but that file already exists, and you do not have permission to write the file, so the operation fails.
If you were to try to save the file with a name that did not already exist in the directory (or share; the terms are interchangeable from the point of view of someone administering Samba), Notepad would be happy, and a new file would be created.
What you are seeing here is this: After all the accessibility checks that Samba applies, it also checks the normal file system permissions that the user (who Samba regards is connected to the file share) has to the files in the share!
In particular, if you do not have read access to directories, you will be unable to see their contents, despite being able to see the directories themselves. Typically, you get Access Denied messages when trying to browse such directories.
Now, when files and directories are created on a Samba share, who owns them, and what permissions do they inherit? Refer back to the long listing of the first-share directory, and look at the entry for New Folder. Here is that entry again:
drwxr-xr-x 2 boss boss 1024 Jan 6 01:09 New Folder
You own the directory, which is in your primary group and has mode 0755.
Now you have to look at UNIX file modes a little, because Samba wants to use numbers such as the 0755 shown previously. Here is what they mean and how to construct them.
Every file in a UNIX file system has an owner, a group owner, and file modes (sometimes referred to as permissions) that consist of four parts:
A file's mode is usually displayed as the three letters RWX and dash (-). So, RWX means read, write, and execute, whereas R-X means read and execute. To change a mode, express it as a series of 12 bits in octal. Thus a file's mode is represented as four octal digits, where the first digit is encoded the following way:
4 = SETUID, 2 = SETGID, 1 = T or STICKY bit
The remaining three digits (the permissions bits proper) are encoded in the following way:
4 = read, 2 = write, 1 = execute
When you want to construct a particular mode for a file, you simply add together the encodings for the permissions you want. So, RWX adds up to octal 7, whereas RW- adds up to 6, R-X adds up to 5, and so on.
Thus, a mode of 1755 means
Finally, a mode of 0755 would be listed by ls -al as RWXR-XR-X.
Samba handles the creation modes of files and directories separately. A number of share-level parameters can be set to control both ownership and the mode of created files and directories.
The following sections list many of the Samba share-level parameters that affect permissions and ownership of files and directories created by Samba. As always, the final list of such parameters and the final word on their function rests with the manual pages on smb.conf for the current version of Samba.
These share-level parameters are synonyms for each other, and they control the permissions that are set when files are created. The value given is a bit mask that is used to mask against the UNIX mask calculated from the DOS mode requested.
Any bit not set in the mask is removed from the permissions (modes) of the file when it is created.
By default the create mask has the value 0744, which specifies that for new files, the owner gets RWX permissions, whereas members of the group owner of the file and all other users get R-- permissions only.
An example of using this parameter is
create mask = 0755
which specifies that the owner (or user) gets RWX permissions, members of the group owner of the file get R-X permissions, and everyone else (world, or others) gets R-X permissions.
These share-level parameters are synonyms for each other, and they control the permissions that are set when directories are created. The value given is a bit mask that is used to mask against the UNIX mask calculated from the DOS mode requested.
Any bit not set in the mask is removed from the permissions (modes) of the file when it is created.
By default, the directory mask is set to 0755. An example of using this parameter is
directory mask = 0744
which specifies that the owner (or user) gets RWX permissions, whereas members of the group and everyone else (world, or others) get R-- permissions only.
This share-level parameter allows you to force certain permission (mode) bits on when files are created under a share. You can do this by performing a bitwise or of the bits specified here with the bits that are calculated from the create mask. Note that this means force create mode overrides create mask.
By default, this parameter has the value 0000, which means that no extra mode bits are forced into the create mask/mode. An example of using this parameter is
force create mode = 0755
which means that the created files have a mode of at least 0755 (or RWXR-XR-X).
This share-level parameter allows you to force certain permission (mode) bits on when directories are created under a share. You can do this by performing a bitwise or of the bits specified here with the bits that are calculated from the directory mask. Note that this means force directory mode overrides directory mask.
By default, this parameter has the value 0000, which means that no extra mode bits are forced into the directory mask/mode. An example of using this parameter is
force directory mode = 0755
which means that the created directories have a mode of at least 0755 (or RWXR-XR-X).
This share-level parameter specifies a UNIX group name that is used as the default primary group for all users accessing the service.
By default, this parameter has no value, which means that all new files and directories are given in a group owner by applying the normal UNIX rules (if the SETGID bit is set on the parent directory, use that directory's group, otherwise use the creator's primary group).
An example of using this parameter is
force group = users
which means that all new files on the share are created with a group owner of users.
This share-level parameter specifies a UNIX user name that is used as the default user for all users accessing the service.
By default, this parameter has no value, which means that all new files in the share are owned by the UNIX user that is deemed to have connected to the share (see the section "Accessibility" earlier this hour). An example of using this parameter is
force user = boss
which means that all new files in the share are owned by boss.
Now that you have seen many of the parameters that affect the way Samba handles the creation and accessing of files under file shares, how might you use them? Here are some ideas.
To force all files created in a particular directory to be owned by a particular group, use the force group parameter. For example, if you want all files and directories created under a particular share to be owned by the group accounts, use the following parameter for the share:
force group = accounts
To prevent all files and directories created under a particular share from having any world permissions (perhaps to prevent UNIX users from accessing files in the share), use the following parameters for the share:
create mask = 0750 directory mask = 0750
You have to use both of these parameters, because Samba handles file creation and directory creation separately.
Modify your first-share to include some of these changes:
){kind=link}
[first-share]
comment = My first share
path = /home/first-share
browsable = yes
writable = yes
create mask = 0750
create directory = 0750
force group = users
After you modify your smb.conf to change first-share to the parameters noted previously and restart Samba, create the file new-file.txt and the directory another-new-folder from a client.
You should now see something such as the following when you do a full listing of the share directory:
ls -al /home/first-share total 6 drwxrwxrwx 4 root root 1024 Jan 6 16:58 . drwxr-xr-x 17 root root 1024 Jan 5 14:23 .. drwxr-x--- 2 boss boss 1024 Jan 6 14:53 New Folder drwxr-x--- 2 boss users 1024 Jan 6 16:58 another-new-folder -rw-r--r-- 1 root root 69 Jan 5 14:22 file-1.txt -rw-r--r-- 1 root root 59 Jan 5 14:23 file-2.txt -rwxr----- 1 boss users 0 Jan 6 16:58 new-file.txt
Notice that new-file.txt and another-new-folder both have a group owner of users, and neither of them have any world permissions.
Finally, you have set the directory /home/first-share to mode 0777, which is very dangerous. A better way to allow you to create files on the share from clients is to change the group owner of the directory to a group you are in.
To do this, you must find out which groups you are in on the UNIX machine. So, if you logged in as boss on your client, you must find out which groups boss is in:
groups boss boss : boss wheel users
Then change the group owner of the directory /home/first-share to be one of those groups. users is a good candidate, especially if you plan to allow other people to access and share files on the share. You need to set the group write bit on the directory as well.
To affect these changes, use the following commands:
chgrp users /home/first-share chmod 0775 /home/first-share
If you want to ensure that these changes occur for all files and directories under the share, include the -R flag with the chgrp and chmod commands.
Finally, this illustrates an aspect of Samba that is very useful: You can perform management of the files in your file shares from UNIX. This means that you have access to all the standard UNIX facilities, including scripting (even Perl) as well as cron files.
For example, in a student lab where students are required to submit their labwork (by copying it to the \\eagle\labwork share) by a particular date and time, the following shell script
1. Changes the ownership of the files to the instructor so that students cannot modify their submission after the deadline.
2. Sends mail to the instructor pointing out which students have not turned in their labwork.
#!/bin/sh # Figure out who has not handed in their labwork and then change # the owner so students cannot submit after the deadline. # Finally send mail to the instructor about those who failed to # hand in their work. Obviously, while this script is running, # there is a small chance that someone can resubmit. Could be # fixed by shutting Samba down. First, stop any students from # adding files to the directory from PCs. chmod 1700 /home/labwork # Next, figure out who owns the submitted work ls -ld /shares/labwork | tr -s " " " " | cut -f3 -d" " > /tmp/submitted.$$ # Now change the owner of all those files. chown -R instructor /home/labwork/* # Now figure out who has not submitted, based on a list of # students in the course diff -y /tmp/submitted.$$ /home/instructor/students | grep \< | \ mail -s "Students who did not submit their labwork on time" instructor rm -f /tmp/submitted.$$
This shell script is an example only. It needs modification for the real world where instructors often have multiple classes, and so on.
|
Sams Teach Yourself Samba in 24 Hours |
|
||||||||||||||||||||||
|
Hour 7: File Sharing |
|
||||||||||||||||||||||
|
© Copyright Macmillan USA. All rights reserved.