Welcome to the Tweaking4All community forums!
When participating, please keep the Forum Rules in mind!
Topics for particular software or systems: Start your topic link with the name of the application or system.
For example “MacOS X – Your question“, or “MS Word – Your Tip or Trick“.
Please note that switching to another language when reading a post will not bring you to the same post, in Dutch, as there is no translation for that post!
Hello all.
I am trying to understand sharing on a pi. Here is what I have.
Three users, 1, 2, 3. They each have a folder. I also have a public folder.
Samba is installed and working. Here is the problem.
The public share works, users 1,2, and 3 can see it, read and write to it over the network. Good...
Users 1 to 3, after they have entered the server address then get asked for their credentials after which they get logged in. Good
However on a MAC, for example, when user 1 logs in they are then presented with a list of "volumes" to select. The volumes are the other uses and the public folder.
If user 1 selects user 2's folder it opens meaning user 1 can now see all of user 2's stuff and user 3! Bad
In fact, any of the users can log in, with the right credentials, but once on they can see and modify all the other users folders and content! Bad
Whew!!!! What have I done wrong here?
It's a permissions thing I know but I'm trying to get it so users 1 to 3 can log in anywhere on the LAN and see ONLY their own folders (R/W) and of course the public folder...
[user1]
comment= user1 folder
path=/home/user1
browseable=yes
writeable=Yes
only guest=no
create mask=0777
directory mask=0777
public=no
[user2]
comment= user2 folder
path=/home/user2
browseable=yes
writeable=Yes
only guest=no
create mask=0777
directory mask=0777
public=no
[user3]
comment= user3 folder
path=/home/user3
browseable=yes
writeable=Yes
only guest=no
create mask=0777
directory mask=0777
public=no
[public]
Comment = Public shared folder
Path = /share
Browseable = yes
Writeable = Yes
only guest = no
create mask = 0777
directory mask = 0777
Public = yes
Guest ok = yes
Help! I'm almost there. I think.
Here is the section of my samba.conf file showing the users etc.
Best wishes
Dj
Hi Deljones!
Users 1 to 3, after they have entered the server address then get asked for their credentials after which they get logged in. Good
However on a MAC, for example, when user 1 logs in they are then presented with a list of "volumes" to select. The volumes are the other uses and the public folder.
This is typical Mac behavior when just entering the server name/IP address, for example:
smb://192.168.1.100
To avoid this, use the full path tot he share, for example:
smb://192.168.1.100/user2
As for the undesired access (eg. User1 can work with the files of User2):
I suspect this has to do with your directory mask setting
create mask=0777 directory mask=0777
I'm definitely not a Linux/Samba expert, but from the Samba documentation or directory masks:
This parameter is the octal modes which are used when converting DOS modes to UNIX modes when creating UNIX directories.
...
The default value of this parameter removes the 'group' and 'other' write bits from the UNIX mode,
allowing only the user who owns the directory to modify it.
Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the force directory
mode parameter. This parameter is set to 000 by default (i.e. no extra mode bits are added).
Default: directory mask = 0755
So the mask you're using (777) actually gives full access to everybody (see also my chmod calculator).
The mask 755 on the other hand, allows only the owner (and root of course) to write files (others can still read).
Maybe you'd like to tighten this even more, but Samba may do an odd translation of the rights. You may need to do a little experimenting.
I also presume that create mask needs to be corrected as well.
Also note: you may need to update the access rights of the affected directories and files on your Raspberry Pi.
However, before doing this, I'd recommend testing the directory mask and create mask first.
If you have root access to your Raspberry Pi (which I assume you have), and you still see the undesired access, then you can look into changing the directory/file access rights with chmod (with chmod -R xyz wher xyz is the mask you'd like to use).
Hope this helps 😊
Just another thing that may be helpful, which I found here:
To restrict users per share, you can use the valid users parameter. In the example below, only the users listed as valid will be able to access the tennis share.
(modified for your user1)
[user1] path = /home/user1 comment = authenticated and valid users only read only = No guest ok = No valid users = user1 root admin
Note: The link seems a little dated, but the Samba.org Documentation mentions it as well.
Almost forgot to mention ConnectMeNow for Mac users (free), which may make access easier once the access rights issue has been resolved.
@hans thank you so very much...
Adding the line:
valid users = user1 root admin
did the trick... On a MAC anyway.... It does exactly what I need.
If a user clicks on any of the folders that they don't have a password for then they are denied access, except of course for their own folder and the public.
Thanks very much for your help, I really appreciate it.
My first time on this forum, my first call for help, and solved within an hour!!!
I'm not rolling this out yet, I'll test it some more and make sure and try it on a Windows & Linux box, but I'm confident.
Have a great weekend
Dj
Awesome! Good to hear you may have things working 😊
As for the quick help; you're most welcome! I happened to sit behind my computer 😜
