Samba share permissions simplified
Samba software, is a free, open source implementation of networking protocols to share files between UNIX/Linux and Windows computers.
Samba provides -
=> File and print services
=> Integration with a Windows Server domain / PDC
=> Part of Active Directory domain etc
Permission precedence
Samba comes with different types of permissions for share. Try to remember few things about UNIX and Samba permissions.
(a) Linux system permissions take precedence over Samba permissions. For example if a directory does not have Linux write permission, setting samba writeable = Yes (see below) will not allow to write to shared directory / share.
(b) The filesystem permission cannot be take priority over Samba permission. For example if filesystem mounted as readonly setting writeable = Yes will not allow to write to any shared directory or share via samba server.
In short (thanks to Craig [see below in comment section]) :
Limits set by kernel-level access control such as file permissions, file system mount options, ACLs, and SELinux policies cannot be overridden by Samba. Both the kernel and Samba must permit the user to perform an action on a file before that action can occur.
How do I set permissions to Samba shares?
Samba Basic permissions are as follows (configuration file is smb.conf [/etc/samba/smb.conf]):
- read only: This parameter controls whether an user has the ability to create or modify files within a share. This is default.
- guest ok: Uf this parameter is set to yes, the users will have access to the share without
having to enter a password. This can pose security risk. - writeable: Specifies users should have write access to the share.
You can create the share called helpfiles with read only permission
[helpfiles]
path = /usr/share/docs
read only = Yes
You can create the share called salesdoc with write permission
[salesdoc]
path = /home/shared/sales
writeable = Yes
You can also create a list of users to give write access to the share with write list option. For example allow rocky and tony to write to the share called sales:
[salesdoc]
path = /home/shared/sales
write list = rocky tony
You can use following options
- read list: This option accepts a list of usernames or a group as its value. Users will be given read-only access to the share.
- valid users: You can make a share available to specific users. Usernames or group names can be passed on as its value.
- invalid users: Users or groups listed will be denied access to this share.
Samba mask permission
It is also possible to specify samba default file creation permission using mask.
- create mask: This option is set using an octal value when setting permissions for files.
- directory mask: Directories must have the execute bit for proper access. Default parameter is 0755.
[salesdoc]
path = /home/shared/sales
write list = rocky sys
create mask = 0775
References
- Samba documentation
- Samba man pages - smb.conf
Want to stay up to date with the latest Linux tips, news and announcements? Subscribe to our free e-mail newsletter or RSS feed to get all updates.
You can Email this page to a friend.
You may also be interested in other helpful articles:
- Tip of the day: Automount your Linux samba host into a Windows environment
- Browse a Samba or MS Windows share in Nautilus
- Linux find or look for available smb shares on a server
- What is umask and how to setup default umask under Linux?
- Download of the day: SSLBridge AJAX based samba and windows share browser
Discussion on This Article:
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!



Instead of keeping your access controls in the samba configuration (write list =), rather apply unix permissions (eg create groups etc. etc.). Then, the access controls will apply when you (eventually) use services besides samba (e.g. NFS, web servers or webdav etc. etc.).
_ranger_,
You’ve raised some good points
Appreciate your post.
(b) is wrong:
“(b) The filesystem permission cannot be take priority over Samba permission.”
I think you meant “Samba can not override limits set by file system mount options.”.
Strictly, you can just combine (a) and (b) into:
“Limits set by kernel-level access control such as file permissions, file system mount options, ACLs, and SELinux policies cannot be overridden by Samba. Both the kernel and Samba must permit the user to perform an action on a file before that action can occur.”
The range of settable perameters in Samba is confusing to me. For example if I set
writable = yes
read only = yes
what happens? hopefully an error. But if
writable = no
write list = peter paul
Does paul get write access? Presumably mary only gets read access.
Guys,
I have a problem trying to communicate with samba server setup on Fedora core 4 from my windows xp machine..
I see only the folders and there are no files
I dont get to even see them on my windows PC when i try to access the corresponding samba related folders…
Any idea..Kindly help
@Hugh,
If user peter paul is in both the read list and the write list then they will be given write access.
If the connecting user is in this list then they will be given write access, no matter what the read only option is set to.
However in your specific example peter or paul will not get write access and writable is specifically set to NO.
Mukund,
Can you paste your smb.conf file (or better use our forum nixcraft.com for more info)
@Craig,
Yes, you are right. I will update this article to point to your comment.
Appreciate your post.
I have had linux joined the windows domain.Now I can log in the samba from windows client.But I get a message “Acess Denied” when I manage the share ACL using remote management. I don’t know why.How to control the samba share acl in the smb.conf?
How to simulta the ACL of windows in samba?
What’s your Email。I have another questions wanted to kown。
Can you help me with creating an access list/ ip table as how to provide permissions to samba share for specific systems with specific ip addresses