Page 1 of 1
Forum

Welcome to the Tweaking4All community forums!
When participating, please keep the Forum Rules in mind!

Topics for particular software or systems: Start your topic link with the name of the application or system.
For example “MacOS X – Your question“, or “MS Word – Your Tip or Trick“.

Please note that switching to another language when reading a post will not bring you to the same post, in Dutch, as there is no translation for that post!




Understanding and m...
 
Share:
Notifications
Clear all

Understanding and managing shares


(@deljones)
New Member
Joined: 7 months ago
Posts: 2
Topic starter  

Hello all.

I am trying to understand sharing on a pi. Here is what I have.

Three users, 1, 2, 3. They each have a folder. I also have a public folder.

Samba is installed and working. Here is the problem.

The public share works, users 1,2, and 3 can see it, read and write to it over the network. Good...

Users 1 to 3, after they have entered the server address then get asked for their credentials after which they get logged in. Good

However on a MAC, for example, when user 1 logs in they are then presented with a list of "volumes" to select. The volumes are the other uses and the public folder.

If user 1 selects user 2's folder it opens meaning user 1 can now see all of user 2's stuff and user 3! Bad

In fact, any of the users can log in, with the right credentials, but once on they can see and modify all the other users folders and content! Bad

Whew!!!! What have I done wrong here?

It's a permissions thing I know but I'm trying to get it so users 1 to 3 can log in anywhere on the LAN and see ONLY their own folders (R/W) and of course the public folder...

[user1]
comment= user1 folder
path=/home/user1
browseable=yes
writeable=Yes
only guest=no
create mask=0777
directory mask=0777
public=no

[user2]
comment= user2 folder
path=/home/user2
browseable=yes
writeable=Yes
only guest=no
create mask=0777
directory mask=0777
public=no

[user3]
comment= user3 folder
path=/home/user3
browseable=yes
writeable=Yes
only guest=no

create mask=0777
directory mask=0777
public=no

[public]
Comment = Public shared folder
Path = /share
Browseable = yes
Writeable = Yes
only guest = no
create mask = 0777
directory mask = 0777
Public = yes
Guest ok = yes

Help! I'm almost there. I think.

Here is the section of my samba.conf file showing the users etc.

Best wishes

Dj

 

 

 


ReplyQuote
Topic Tags
 Hans
(@hans)
Noble Member Admin
Joined: 8 years ago
Posts: 2012
 

Hi Deljones!

Posted by: @deljones

Users 1 to 3, after they have entered the server address then get asked for their credentials after which they get logged in. Good

However on a MAC, for example, when user 1 logs in they are then presented with a list of "volumes" to select. The volumes are the other uses and the public folder.

This is typical Mac behavior when just entering the server name/IP address, for example:

smb://192.168.1.100

To avoid this, use the full path tot he share, for example:

smb://192.168.1.100/user2

 

As for the undesired access (eg. User1 can work with the files of User2):
I suspect this has to do with your directory mask setting

create mask=0777
directory mask=0777

 

I'm definitely not a Linux/Samba expert, but from the Samba documentation or directory masks:

    This parameter is the octal modes which are used when converting DOS modes to UNIX modes when creating UNIX directories.
...
    The default value of this parameter removes the 'group' and 'other' write bits from the UNIX mode,
    allowing only the user who owns the directory to modify it.

    Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the force directory
    mode parameter. This parameter is set to 000 by default (i.e. no extra mode bits are added).

    Default: directory mask = 0755  

So the mask you're using (777) actually gives full access to everybody (see also my chmod calculator).
The mask 755 on the other hand, allows only the owner (and root of course) to write files (others can still read).

Maybe you'd like to tighten this even more, but Samba may do an odd translation of the rights. You may need to do a little experimenting.
I also presume that create mask needs to be corrected as well.

Also note: you may need to update the access rights of the affected directories and files on your Raspberry Pi.
However, before doing this, I'd recommend testing the directory mask and create mask first.
If you have root access to your Raspberry Pi (which I assume you have), and you still see the undesired access, then you can look into changing the directory/file access rights with chmod (with chmod -R xyz wher xyz is the mask you'd like to use).

Hope this helps 😊 


ReplyQuote
 Hans
(@hans)
Noble Member Admin
Joined: 8 years ago
Posts: 2012
 

Just another thing that may be helpful, which I found here:

valid users

To restrict users per share, you can use the valid users parameter. In the example below, only the users listed as valid will be able to access the tennis share.

(modified for your user1)

[user1]
path = /home/user1
comment = authenticated and valid users only
read only = No
guest ok = No
valid users = user1 root admin

 

Note: The link seems a little dated, but the Samba.org Documentation mentions it as well.

 


deljones liked
ReplyQuote
 Hans
(@hans)
Noble Member Admin
Joined: 8 years ago
Posts: 2012
 

Almost forgot to mention ConnectMeNow for Mac users (free), which may make access easier once the access rights issue has been resolved.


ReplyQuote
(@deljones)
New Member
Joined: 7 months ago
Posts: 2
Topic starter  

@hans thank you so very much...

Adding the line:

valid users = user1 root admin

 

did the trick... On a MAC anyway.... It does exactly what I need.

If a user clicks on any of the folders that they don't have a password for then they are denied access, except of course for their own folder and the public.

Thanks very much for your help, I really appreciate it.

My first time on this forum, my first call for help, and solved within an hour!!!

I'm not rolling this out yet, I'll test it some more and make sure and try it on a Windows & Linux box, but I'm confident.

Have a great weekend

Dj


ReplyQuote


 Hans
(@hans)
Noble Member Admin
Joined: 8 years ago
Posts: 2012
 

Awesome! Good to hear you may have things working 😊 

As for the quick help; you're most welcome! I happened to sit behind my computer 😜 


ReplyQuote

Like what you see and you'd like to help out? 

The best way to help is of course by assisting others with their questions here in the forum, but you can also help us out in other ways:

- Do your shopping at Amazon, it will not cost you anything extra but may generate a small commission for us,
- send a cup of coffee through PayPal ($5, $10, $20, or custom amount),
- become a Patreon,
- donate BitCoin (BTC), or BitCoinCash (BCH).

Share: