Post #202,351
4/7/05 4:42:12 PM
|
Greg: Samba question
I would to create a directory that people can
drop things off in, and then NEVER be allowed
to touch again. Once the file is written,
it should not ever change (at least by that
user). Nor should the user be allowed to
delete it.
Is this possible? The directory is a subdir
off a share.
|
Post #202,376
4/7/05 9:50:30 PM
|
I would have to believe...
a combination of ACLs and Samba create modes should do it. Force the write as another samba user. with group read only. Therefore they can create the file but as soon as they are done, it should be read only.
Also ACLs inheritance should be possible too. Iffn you want me to really look at doing it... I can. I'll even ask those that are in the know.
-- [link|mailto:greg@gregfolkert.net|greg], [link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey[link|http://it.slashdot.org/comments.pl?sid=134485&cid=11233230|"Microsoft Security" is an even better oxymoron than "Military Intelligence"] No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
|
Post #202,377
4/7/05 10:09:55 PM
|
Can force writes be done on a dir basis?
Or does it have to be share?
|
Post #202,387
4/7/05 11:24:25 PM
|
I'll have ta ask. I believe you can do it per file...
But if so, it should be able to per dir.
-- [link|mailto:greg@gregfolkert.net|greg], [link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey[link|http://it.slashdot.org/comments.pl?sid=134485&cid=11233230|"Microsoft Security" is an even better oxymoron than "Military Intelligence"] No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
|
Post #202,432
4/8/05 8:26:07 AM
|
Please follow up
I try to ask general "is it possible" questions, so as to not waste my time chasing things that can't be done, but not your time either.
So I've been reading the smb.conf docs, and I can't figure it out, since the settings that I see (related to permissions and ownership) are all at the share level.
So I'm lost at this point.
|
Post #202,436
4/8/05 8:47:20 AM
|
Personally I think you're SOL
I've never heard of such a thing.
The nearest I can think of is the INCOMING directory on public FTP servers, which are generally public write-only; you can't read anything in there nor get a directory listing.
Peter
[link|http://www.ubuntulinux.org|Ubuntu Linux]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Home]
Use P2P for legitimate purposes!
|
Post #202,437
4/8/05 9:10:40 AM
|
That was my thought as well.
Another option might be to make the drop directory a write-only medium like a write-once CD. I'm not sure how you'd do that though.
Cheers,
Scott.
|
Post #202,456
4/8/05 11:05:49 AM
|
Eh... Stupid solution?
A monitoring script that would mark file read only 0.5 second after it shows up? Or when it stops growing for 0.5 second? On NT, I would even vaguely know how to do it without polling.
--
"Consider a perfectly spherical cow, radiating milk isotropically."
-- [link|http://itre.cis.upenn.edu/~myl/languagelog/archives/002008.html|Language Log]
|
Post #202,538
4/8/05 6:48:49 PM
|
Yeah, thought about it
I threw up my hands today, said "Screw it, I'm gonna cheat", and write a script that gets kicked off by crontab every 5 minutes to walk the dir tree (there can be many) and chmod / chown as needed.
And then, I said, "Screw it all. This is on the bottom of my priority list, why am I wasting oxygen thinking about it?"
My PFY was giving me odd looks at that point, and I didn't feel like explaining.
So I then buried it.
|
Post #202,623
4/9/05 1:44:00 PM
|
Having just wrapped this sort of thing up in OS
it sounds like a classic "this can only be solved by capabilities vs. access lists" problem.
This came right after we were taught how to write buffer overflows. Wheee! ;)
--\n-------------------------------------------------------------------\n* Jack Troughton jake at consultron.ca *\n* [link|http://consultron.ca|http://consultron.ca] [link|irc://irc.ecomstation.ca|irc://irc.ecomstation.ca] *\n* Kingston Ontario Canada [link|news://news.consultron.ca|news://news.consultron.ca] *\n-------------------------------------------------------------------
|
Post #202,464
4/8/05 12:04:09 PM
4/8/05 12:06:26 PM
|
I think we are chasing several dead-ends
I keep coming back to:
forced owner and group.
Group is write only. so basically like this in the Filesystem:
The Directory:
/data/share/incoming chmod 6720, chown spooler.writeonlygroup
Force samba to write the file as user spooler. Which I believe you already do. And force the create mode as 0620.
When the user drops a file there, it basically disappears. Nothing will show up for them at all.
You might wanna create a share called incoming. and make it a subdir of /data/share/
The chmod would keep out normal users too.
I had a problem with a directory done this way (accidentally) *I* could see and use it. (mainly because I was an admin user) but nobody else could get in and see what was there.
Edit:
One last thing, we have to remember Samba follows any restriction the OS puts on it. Even if you want something else in the samba config. Using the OS to create a restricted area itself, but then force a few things to work with the OS restriction underneath Samba, I believe is the way to go.
-- [link|mailto:greg@gregfolkert.net|greg], [link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey[link|http://it.slashdot.org/comments.pl?sid=134485&cid=11233230|"Microsoft Security" is an even better oxymoron than "Military Intelligence"] No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
Edited by folkert
April 8, 2005, 12:06:26 PM EDT
|
Post #202,489
4/8/05 2:22:52 PM
4/8/05 2:25:52 PM
|
Share only I believe
although you can further restrict other folders by changing the folder permissions.
force user = nonuser (or any user you want to edit the files)
force create mode = 0640
Note I haven't tried this myself, YMMV
~~~)-Steven----
"I want you to remember that no bastard ever won a war by dying for his country.
He won it by making the other poor dumb bastard die for his country..."
General George S. Patton
Edited by Steven A S
April 8, 2005, 02:25:52 PM EDT
|
