N40L - Windows SAMBA sharing and SFTP help

LSlayerYoda on 08/11/2012 - 10:57

Hi all,

My N40L is running Ubuntu 12.04 Server and I'm sharing to Windows XP, 7, 8 computers through Samba. To get this working, I set all permissions on the Samba drives to 777. I also SFTP into the server to grab/throw files on. For me, everything is working just fine.

I've got relatives overseas and I want to give them access to my drive (so they can look at photos, etc. I've got on there). This is where the problem lies. I don't mind them looking at all I've got, but I want to restrict them to read-only, or maybe read and upload to server, but I specifically do not want them to be able to delete files. They're elderly and it was them that actually asked if it's possible as they're scared of doing something wrong. This, naturally, makes me twice as scared.

From what I've tried, I can't change the permissions on the drive without ruining the 'write' permissions when I'm using my Windows machines, or am I just doing something wrong?

Please help!

Cheers,

SlayerYoda

Computing

Comments

  • _Bruce_ on 08/11/2012 - 12:03
    +2

    Where you are going wrong is (presumably) using the anonymous samba connection profile to have full permissions. Note that this is connected, but not quite the same as the file system permissions.

    To do what you want you should make an account for your personal usage, which has full write access, and change annonymous (or make a new account) which does not. You can create a share or part of a share called 'public' or 'uploads' that everyone can write to.

    accounts in samba can be connected to account in Ubuntu. They can be limited in their actions both by samba and by Ubuntu. So assuming you have complete annon access set up you can either:

    • Restrict annon access in samba, and create a new account with full access
      OR
    • create a new account and change the permission in the file system so only the new one can write where you want.

    The second is more powerful but also more complicated.

    As for file permissions, the '777' you refer to works like this:

    • The first number is for the user who 'owns' the file. The owner can also be changed. This refers to the Ubuntu user, samba will decide what user it uses (based on config and own permissions).
    • The second number is for a user who belongs to the file's group. The file's group can be changed. Users can belong to any number of groups. The user used is as per above
    • The third number is for everyone else.

    The number itself represents read(4), write(2) and execute(1) added together. Execute is a special unix permission and asside from directories should probably NOT be used for files in a samba share (so using 7 isn't a great idea).

    As you can probably tell by now this is REALLY complicated. There are lots of ways of doing what you want, depending on your existing setup, need for flexibility and what areas you are most familiar with. Hopefully this gives you a good start.

    • SlayerYoda on 08/11/2012 - 13:34

      Thanks for the in-depth reply Bruce! I've been thinking that I need to create a new account in Ubuntu (and, presumably, SAMBA) to get moving along, and you've confirmed that.

      I've tried searching online, but Google wasn't nearly as useful as it usually is, maybe because I'm punching above my weight with this.

      I've read online that Samba permissions run secondary to Ubuntu permissions, which I thought implied that I needed an Ubuntu account to have a Samba one. From what you're saying that's not the case?

      Once again thanks a lot for the reply. I've got a lot more reading to do, as I'm still in the grey about how Windows communicates with Samba on a 'user' level.

      I'll also start removing the 'execute' permission on my samba shares :)

      EDIT: Underscores at the front and end of your name make it appear in italics lol

      • _Bruce_ on 08/11/2012 - 14:28
        +1

        To help you out a bit I will break down the steps I would take to do this. You should not need a new Ubuntu user if you don't want one.

        Step 1: Find out what user you have samba configured to use in ubuntu for annonymous connections (still assuming you are using annonymous connections). Add a samba new user (not annon) which uses your standard Ubuntu account or a new one you create.

        Step 2: Create a new group called sambawrite (or whatever). Set the group for all samba shared files to sambawrite. Set the permissions to 664 for files (775 for directories). You can set 666/777 for stuff you want globally writable.

        Step 3: Use windows to connect with the new samba account.

        • SlayerYoda on 08/11/2012 - 14:39

          That sounds perfect. This way it'll be easy to add a new Ubuntu user outside of the sambawrite group for the sftp to send to relatives.

          Thanks a lot :)

  • zfa on 09/11/2012 - 15:16

    Seeing as you have an N40L you have a 'proper' server to play with so there's no need to be restricted to simple protocols like SAMBA or FTP (neither of which are particularly secure). What I'd do is look into using something that's meant for media sharing and has a also nice interface rather than trying to teach people who may not be tech-savvy how to use FTP clients, VPNs or other nonsense.

    I've heard good things about OpenCloud (http://owncloud.org/features/). Software options like this allow much more control over who can see what as it manages it's own access control so you won't have to mess around with UNIX file permissions, SAMBA permissions etc.

    Whilst there's a time and a place for having your server properly configured with user accounts and tight file permissions it's actually quite a bit of maintenance and hard to get right - especially if you decide to quickly add someone or grant guest or anonymous access to data. Just use a product that's designed to make things easy for you.

    If you have music/video to share then I'm also a massive fan of Subsonic (http://www.subsonic.org/). It's awesome.

    • _Bruce_ on 09/11/2012 - 15:33

      While your options may have merit, I have a few observations:

      1: Samba is hardly 'simple' and it IS particularly secure. It's number one advantage though is native windows file sharing support, which is still the reason it comes out ahead of many options.

      2: The OP refered to sftp, not ftp. sftp is, again, very secure (ftp has effectively no security at all).

      • zfa on 11/11/2012 - 19:48

        By 'simple' protocols I mean using a kind of 'base' protocol where you're going to have to manage the setup yourself (like configuring the smb.conf etc.) not that they are 'trivial'.

        You're right about SFTP, though, that is secure I misread it as FTP. As for SAMBA it's far from ideal - passwords not always secure, it's incredibly 'chatty' and it was just never designed to be used over the internet. I'd avoid it like the plague.

        Both of these still suffer from the problem that you're going to have nightmares with getting file permissions right if you're not experienced with *NIX. Restricting access, adding new users, adding anonymous or guests account will be hell on earth for the OP. I'd not recommend someone use them if they don't know what they're doing as they're very unforgiving. A mixup with permissions or leaving guest access open, or not restricting all the user accounts available on the system is just inviting people to pillage your data. If you don't know what you're doing, go for an established user-centric solution I'd say.

        Each to their own though.

    • SlayerYoda on 16/11/2012 - 10:40

      Thanks for the heads up zfa. I use SMB for my internal drive sharing, so it's very convenient for that purpose. For the remote logging part, I'll definitely give OpenCloud a look.

Login or Join to leave a comment
Login Join