Samba - Using Group Permissions

From The System Administrator Zone


/etc/samba/smb.conf

The share-definition, created with the X Samba-configuration tool:

[TEMP]
     comment = data goes here
     path = /home/george/temp
     writeable = yes


security mask / forced security mask

security mask

Essentially, zero bits in the security mask may be thought of as the set of bits a user is not allowed to change, and one bits are those the user is allowed to change.

If not set explicitly, the default is the same as the create mask parameter, which defaults to 000, allowing a user to modify all the user/group/world permissions on a file. To make sure that a windows-user can never change the access rights for "other" we can define the security-mask to be 0770:

security mask = 0770

forced security mask

Next Samba checks the changed permissions for a file against the bits set in the force security mode parameter. Any bits that were changed that correspond to bits set to 1 in this parameter are forced to be set.

Essentially, bits set in the force security mode parameter may be treated as a set of bits that, when modifying security on a file, the user has always set to be on. If not explicitly set, this parameter defaults to the same value as the force create mode parameter, which is also 000.

create masks / directory mode

When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND' with the result. This parameter may be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit not set here will be removed from the modes set on a file when it is created. Following this, Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the force create mode parameter which is set to 000 by default.

Change the samba.conf file:

[TEMP]
     comment = data goes here
     path = /home/george/temp
     writeable = yes
     create mask = 0770
     directory mode = 0770

Then restart Samba:

/sbin/service smb restart

force group

To get rid of this we will now set the option force group to force the group of any created file in this directory structure to be home_users: [karin_temp] comment = Karin's data path = /home/karin/karin_temp writeable = yes create mask = 0770 force create mode = 0770 force group = home_users

Change the samba.conf file:

[TEMP]
     comment = data goes here
     path = /home/george/temp
     writeable = yes
     create mask = 0770
     directory mode = 0770
     force group = users

Then restart Samba:

/sbin/service smb restart