[H-GEN] 1. Public Samba share 2. apache Samba share

R&J Stuart rjstuart at bigpond.net.au
Mon Aug 4 06:47:47 EDT 2003 

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

Hi Alex,

Alex Delaforce wrote:
> 1. BUT, I've set up a public area where anyone can put files to be
> shared within the LAN - the folder shows on the network neighborhood
> view on the XP box but when I try to connect I get the 'share
> unavailable' message indicating that I do not have permission to view
> the share.
> 
> Here is the entry in the smb.conf file
> 
> [public]
>  comment = Public Stuff
>   path = /home/shared/public/
>    write list = root, alex, jane, simon, @users
>     public = yes
>      read list = root, alex, jane, simon, @users
>       guest ok = no

Ok.  I'm not sure, but "public=yes" and "guest ok=no" might be 
contraditory.  Also, become one of the users (eg alex) and make sure you 
can do an ls in that directory.  I'm not sure of the implications of 
having a write and read list when the share is public.  I'd just have 
"valid users = @writegrp".  I'd recommend never putting root in a samba 
share.

> 2. For my apache share I have read about forcing the files written via a
> Samba share to take on the 'apache' group or user owner. If anyone has a
> sample [web] share that includes this I would like to have this
> explained to me.

Apache should run with user apache and group apache.  You should NOT add 
other users to this group.  The idea is that your webserver runs as a 
user with NO extra privileges and so can't easily change anything should 
it be compromised.  Instead, make sure that all web content is world 
readable "-rw-rw-r--" and in the case of directories world searchable 
"drwxrwsr-x".

This is what I have for our home website (my wife uses dreamweaver for 
web dev):

[web]
   comment = Web
   path = /home/web/html
   valid users = @webedit
   public = no
   writable = yes
   force create mode = 0664
   force directory mode = 2775

also:
$ls -ld /home/web/html
drwxrwsr-x 13 robert webedit 4096 Jun 29 22:19 /home/web/html

The apache root has been changed to point at that directory.

Note that the directory also has the setguid bit set.  This means that 
the files and subdirectories under it get created with the group of the 
directory not the user's primary group (which in this case I think is 
robert).  This is very useful.  Also note the "force * mode" directives 
in the samba share also help to ensure that these permissions are 
propogated.

The "force user" and "force group" samba directives should be used 
extremely carefully - really not at all.

Good Luck.

Regards,

Robert


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/

More information about the General mailing list