Samba share permissions simplified

by LinuxTitli · 14 comments

Samba software, is a free, open source implementation of networking protocols to share files between UNIX/Linux and Windows computers.

Samba provides -
=> File and print services

=> Integration with a Windows Server domain / PDC

=> Part of Active Directory domain etc

Permission precedence

Samba comes with different types of permissions for share. Try to remember few things about UNIX and Samba permissions.
(a) Linux system permissions take precedence over Samba permissions. For example if a directory does not have Linux write permission, setting samba writeable = Yes (see below) will not allow to write to shared directory / share.

(b) The filesystem permission cannot be take priority over Samba permission. For example if filesystem mounted as readonly setting writeable = Yes will not allow to write to any shared directory or share via samba server.

In short (thanks to Craig [see below in comment section]) :
Limits set by kernel-level access control such as file permissions, file system mount options, ACLs, and SELinux policies cannot be overridden by Samba. Both the kernel and Samba must permit the user to perform an action on a file before that action can occur.

How do I set permissions to Samba shares?

Samba Basic permissions are as follows (configuration file is smb.conf [/etc/samba/smb.conf]):

  • read only: This parameter controls whether an user has the ability to create or modify files within a share. This is default.
  • guest ok: Uf this parameter is set to yes, the users will have access to the share without
    having to enter a password. This can pose security risk.
  • writeable: Specifies users should have write access to the share.

You can create the share called helpfiles with read only permission
[helpfiles]
path = /usr/share/docs
read only = Yes

You can create the share called salesdoc with write permission
[salesdoc]
path = /home/shared/sales
writeable = Yes

You can also create a list of users to give write access to the share with write list option. For example allow rocky and tony to write to the share called sales:
[salesdoc]
path = /home/shared/sales
write list = rocky tony

You can use following options

  • read list: This option accepts a list of usernames or a group as its value. Users will be given read-only access to the share.
  • valid users: You can make a share available to specific users. Usernames or group names can be passed on as its value.
  • invalid users: Users or groups listed will be denied access to this share.

Samba mask permission

It is also possible to specify samba default file creation permission using mask.

  • create mask: This option is set using an octal value when setting permissions for files.
  • directory mask: Directories must have the execute bit for proper access. Default parameter is 0755.

[salesdoc]
path = /home/shared/sales
write list = rocky sys
create mask = 0775

References

Featured Articles:

Want to read Linux tips and tricks, but don't have time to check our blog everyday? Subscribe to our daily email newsletter to make sure you don't miss a single tip/tricks. Subscribe to our weekly newsletter here!

{ 14 comments… read them below or add one }

1 _ranger_ 01.17.07 at 9:02 am

Instead of keeping your access controls in the samba configuration (write list =), rather apply unix permissions (eg create groups etc. etc.). Then, the access controls will apply when you (eventually) use services besides samba (e.g. NFS, web servers or webdav etc. etc.).

2 nixcraft 01.17.07 at 10:25 pm

_ranger_,

You’ve raised some good points

Appreciate your post.

3 Craig Ringer 02.03.07 at 8:53 pm

(b) is wrong:

“(b) The filesystem permission cannot be take priority over Samba permission.”

I think you meant “Samba can not override limits set by file system mount options.”.

Strictly, you can just combine (a) and (b) into:

“Limits set by kernel-level access control such as file permissions, file system mount options, ACLs, and SELinux policies cannot be overridden by Samba. Both the kernel and Samba must permit the user to perform an action on a file before that action can occur.”

4 Hugh Grant 02.06.07 at 7:31 pm

The range of settable perameters in Samba is confusing to me. For example if I set
writable = yes
read only = yes
what happens? hopefully an error. But if
writable = no
write list = peter paul
Does paul get write access? Presumably mary only gets read access.

5 Mukund 02.14.07 at 2:52 pm

Guys,
I have a problem trying to communicate with samba server setup on Fedora core 4 from my windows xp machine..
I see only the folders and there are no files
I dont get to even see them on my windows PC when i try to access the corresponding samba related folders…
Any idea..Kindly help :)

6 nixcraft 02.15.07 at 4:30 am

@Hugh,

If user peter paul is in both the read list and the write list then they will be given write access.

If the connecting user is in this list then they will be given write access, no matter what the read only option is set to.

However in your specific example peter or paul will not get write access and writable is specifically set to NO.

7 nixcraft 02.15.07 at 4:32 am

Mukund,

Can you paste your smb.conf file (or better use our forum nixcraft.com for more info)

8 nixcraft 02.15.07 at 4:35 am

@Craig,

Yes, you are right. I will update this article to point to your comment.

Appreciate your post.

9 hmcentury 05.05.07 at 3:51 am

I have had linux joined the windows domain.Now I can log in the samba from windows client.But I get a message “Acess Denied” when I manage the share ACL using remote management. I don’t know why.How to control the samba share acl in the smb.conf?

How to simulta the ACL of windows in samba?

What’s your Email。I have another questions wanted to kown。

10 Sharad 07.19.08 at 10:39 am

Can you help me with creating an access list/ ip table as how to provide permissions to samba share for specific systems with specific ip addresses

11 Mustafa 02.18.09 at 9:08 am

I have the same problem, I have set my simple samba server in SUSE Linux and put the smb.conf file as follows

[global]
workgroup = ftpgrp
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
security = user
encrypt passwords = yes
local master = yes
writable = yes
passdb backend = smbpasswd
domain master = yes
preferred master = yes
os level = 2
wins support = yes
[output]
comment = Network Profiles Service
path = /rbidata/RBIPublic/output/
write list = tigocdr
store dos attributes = Yes
create mask = 0600
directory mask = 0777
browseable = yes
guest ok = no
printable = no
[bak]
comment = Network Profiles Service
path = /rbidata/RBIPublic/bak/
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
browseable = yes
guest ok = no
printable = no
but still the user “tigocdr” can not write to output directory
why??

12 Jon Cage 03.30.09 at 11:00 pm

@Mustafa: What permissions are set on /rbidata/RBIPublic/output/ and who owns that directory and/or whatever it is you’re trying to write to?

13 V.Balaviswanathan 04.27.09 at 1:12 pm

Hi NixCraft,

I have a doubt I have configured samba on Ubuntu 9.04 and i am able to connect to windows properly but not with Linux (ubuntu 9.04) and moreover the users must be able to create a folder and each time when I connect to this share , it must request for a password. Kindly help me please.I would be thankful to you

14 Marcelo 10.01.09 at 3:32 pm

Hi.

Thanks for this tutorial
If someone needs to get deeper, I recommend:
http://oreilly.com/catalog/samba/chapter/book/ch06_02.html
cheers

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Previous post:

Next post: