SLUG Mailing List Archives
Re: [SLUG] umask file permissions with samba
- To: slug@xxxxxxxxxxx
- Subject: Re: [SLUG] umask file permissions with samba
- From: getadog <getadog@xxxxxxxxxxxxxxxx>
- Date: Wed Feb 27 13:59:01 2002
- User-agent: Mutt/1.3.25i
On Wed, Feb 27, 2002 at 12:41:52PM +1100, Jeff Waugh wrote:
> <quote who="Kerry Seibold">
> > 770 gives rwx permission to owner and group, --- to other.
> > 660 gives rw- permission to owner and group, --- to other.
> Yeah, generally the file ones are set to 660, and having stuff readable to
> other is not good if you want to restrict it to a group.
Yes, and if you wanted to restrict it to a group, you probably
wouldn't use force group. ( I wouldn't anyway )
By using force group, everyone who connects to the service will have
their primary group changed to the forced group. ie they don't need
to be a member of the group in /etc/passwd or /etc/group.
A different way to do it, just as another example.
adduser user1 sales # adds user1 to group sales
adduser user2 sales # this doesn't work on all distros.
chown root:sales /home/sales/
chmod 2770 /home/sales/
path = /home/sales
write list = @sales
valid users = @sales
inherit permissions = yes
write list and valid users are extra security on top of the unix file
permissions, you could remove them and add writable = yes and have
the same effect.
This example means all users that are a member of the sales group can
share files, edit and delete other peoples file. If they're not a member
of sales, they can't access the service at all.
If I changed it to
path = /home/sales
writable = yes
force group = sales
force create mode = 770
create mode = 770
force directory mode = 770
directory mode = 770
Everyone would have read/write access to sales, regardless of what groups they are
members of, regardless of other permissions. Which is fine, if thats
what you want, and probably is what you want for a small office. I offer my
example just as an alternative, and for review.