Home
Applications of File Permissions
File Permissions Overview Changing File Permissions Local User Administration If the machine you are administrating will be used be a variety of users, it may be advantageous to set the file permissions for where you want to allow users to go. This is much easier if the users are separated into groups with different levels of access to user data. One way to improve file security for local users is to create a public and private folder within each user's home directory.
  • To set up a public and private folder for the user "user" who is in group "users": ComputerName:~# cd /home/user ComputerName:/home/user# mkdir ./private ComputerName:/home/user# mkdir ./public ComputerName:/home/user# chown -R user /home/user ComputerName:/home/user# chgrp -R users /home/user ComputerName:/home/user# chmod -R 777 ./public ComputerName:/home/user# chmod -R 700 ./private ComputerName:/home/user# ls -la drwxr-xr-x 5 user users 4096 Oct 30 09:18 . drwx------ 2 user users 4096 Oct 30 09:18 private drwxrwxrwx 2 user users 4096 Oct 30 09:18 public Setting up directories to be accessible by groups of users is similar, just change the chmod value from 700 to 770.
Samba Share-level Administration
  • When a user connects to a share on your machine, the authentication of that user is handled by Samba, but the permissions of whether that user can read, write, or execute in that shared folder are handled by the normal Linux file permission commands.
  • It is important to note that Samba uses the same user names and groups as are defined by the local Linux users, so make sure that any groups or users that you want set up are created before trying to create any network shares. Having them set up correctly determines whether or not the user will be able to save his or her work in your share.
  • There are two main examples:
    1. A private share accessible by only a single user
    2. A group share accessible only by a particular group of private users
  • For a private share, you will want to make a directory similar to the private directory in the example above. For example, using the directory /tmp/testshare, the share in the smb.conf file should look something like this: path = /tmp/testshare valid users = user public = no writable = yes printable = no
  • The share above is defined as writable but only for the users in the valid users = list since public is set to no.
  • To set up the valid users directory on the local system, we need to:
    1. Make sure it is owned by the user "user"
    2. Make sure it is under control of the correct group, "users" in this case
    3. Set its permissions to allow only the owner to access it.
    The commands below implement these properties: ComputerName:~# mkdir /tmp/testshare ComputerName:~# chown -R user /tmp/testshare ComputerName:~# chgrp -R users /tmp/testshare ComputerName:~# chmod -R 700 /tmp/testshare ComputerName:~# ls -la /tmp drwx------ 2 user users 4096 Oct 30 10:10 testshare
  • It is important to note that any new files created by "user" will be owned by "user" and by default will be readable publicly and by all people in the group "users". Since this share is only accessible by the user "user", this is not a problem.
  • Access for new files can become more of a problem in group share. For example:
    • The directory /tmp/testshare is used to illustrate a directory to be accessible by anyone in a given group.
    • The directory itself should be owned by "user" in this example
    • The directory should be put under the group "users" with the chgrp command for this example.
    • The share as defined in the smb.conf file should look something like this: path = /tmp/testshare valid users = @users public = no writable = yes printable = no force create mode = 0770 force directory mode = 0770 force group = users
  • The "@users" option in valid users defines the group "users".
  • The last 3 lines setup the default permissions for any new files or directories that will be written to this share by the users in group "users".
  • The force create mode and force directory mode specify the permissions to be applied to any newly created files by using the octal permissions discussed in Changing File Permissions, plus another bit in the front that we will always set to 0.
  • The force group command forces all created objects to be set under the "users" group.
  • There is a corresponding force user command which can be used if you wish to have all the files owned by a single user.
  • To set up the current files and directory permissions locally, we change the chmod command in the above example for the private share from 700 to 770.
  • There are many other examples of shares and how to set their permissions in the example smb.conf file that comes with the Samba package.
  • For further help, the man page for smb.conf is a great place to start, otherwise the Samba homepage www.samba.org also has excellent documentation on how to set up the smb.conf file and other aspects of Samba.
Back to top