File/Dir permissions in smb.shares


Recommended Posts

When unRAID writes the /etc/samba/smb.shares file, it uses:

 

        create mask = 0711

        directory mask = 0711

 

Which makes files readable by root, and un-readable by all other users.  (A small nit... samba should have called these "permission" rather than "mask" since it erroneously implies that it is like a umask setting, which it is not... it is the same values as would be used by chmod).

 

Since many people are running other applications on the unRAID servers, such as FTP, lighttpd, VM, and slimserver, these apps can't read the files, unless they are running as root (unless the users goes in and chmod/chown them).  That is not good from a security or stability point, and it is not possible for some, which refuse to run as root.

 

On my main system, I have been rewriting the smb.shares file and restarting samba with these permissions:

 

        create mask = 0644

        directory mask = 0755

 

This gives everyone read access to files and directories created via samba shares.

 

I would be helpful, if either the default changed in unRAID, or two fields were available in the unRAID management interface to allow the user to decide what the create mask and directory mask for samba should be.

 

Link to comment

Can I assume you have a nifty little script to do this ?  ;D

Here's a script you can use, you can invoke it on the command line, or...

 

As a side-benefit, it is also a unmenu user-script.  It will show up as a button on the "User Scripts" page in the unMENU interface if you name it as shown and put a copy in the same folder as your other unmenu files.

 

cat 70-unmenu_user_script_samba_mask

#define USER_SCRIPT_LABEL Set SAMBA File Permissions

#define USER_SCRIPT_DESCR Sets SAMBA file permissions to 0644 and directory permissions to 0755

echo "<pre>"

set -xv

sed -i -e "s/create mask = 0711/create mask = 0644/" /etc/samba/smb.shares

sed -i -e "s/directory mask = 0711/directory mask = 0755/" /etc/samba/smb.shares

smbcontrol smbd reload-config

 

A zipped copy is attached.

 

I'm sure a "go" script can also be created to perform this series of commands each time you reboot, but you will also need this 'User Script" button as every time you make a change to user shares configuration, it will overwrite the permissions you set when you booted, and you will need to press the button to fix the permissions or reboot the server to re-run the "go" script.

 

Joe L.

 

Link to comment

Nope... I overwrite the entire file with a custom one I created for my specific drive configuration.

 

I took a similar approach to bubbaQ and create custom Samba shares.  This makes it easy to set the file attributes in a way that unRAID doesn't' wallop them when you change the configuration.

 

Here is a post I had been working on a while back and completed to explain what I did ...

 

SAMBA is a powerful tool with lots of features that unRAID does not make available.  With a little effort, anyone can tap into these features.

 

unRAID is particularly limiting if you choose not to use user shares, which I do not.  

 

These are the issues that I was having that lead me to research Samba features:

 

1 - I hated having to refer to my disks as disk1, disk2, etc.  Each drive has its purpose and I want them named logically

2 - I wanted to be able to implement user security.  Unless you enable user shares in unRAID, user security is not available.

3 - I have user names in Windows that contain spaces and had trouble getting authenticated.  

4 - I wanted to have shares associated with more deeply nested directory entries.

 

My solution was to create a replacement smb.conf and copy it over the normal one (in /etc/samba) at bootup.

 

This is in my S09-samba script in my /custom/etc/rc.d directory:

  #!/bin/bash
  cp /boot/config/samba/smb.conf /etc/samba
  smbcontrol smbd reload-config

 

The first line copies my slightly modified smb.conf file to the ramdisk.  The second line reloads the Samba configuration so that the new configuration takes effect.

 

My smb.conf looks like this:

[global]
# configurable identification
  username map = /boot/config/samba/usermap.txt
  include = /etc/samba/smb.names

  # log stuff only to syslog
  log level = 0
  syslog = 0
  syslog only = Yes

  # we don't do printers
  show add printer wizard = No
  disable spoolss = Yes
  load printers = No
  printing = bsd
  printcap name = /dev/null

  # misc.
  host msdfs = Yes
  msdfs root = Yes
  unix extensions = No
  use sendfile = Yes

  # auto-configured shares
  include = /etc/samba/smb.shares
  include = /boot/config/samba/user.shares

 

This is identical to the stock file, with two lines added.  One, near the top, sets up a usermap.  Usermaps enable you to link Windows user names to Linux / unRAID user names.  The other new line, at the very bottom, includes a file that defines my custom shares.  Both these files are accessed from the USB stick directly so no copying of them is required.  

 

The unRAID generated share file (smb.shares) is not impacted in a any way.  I have disk shares disabled, but if I ever enabled them it would work fine.

 

The usermap.txt file is very simple (see below).  The user1, user2, ... entries need to be configured in unRAID, with the password identical to the password in windows.

user1 = "windows user name"
user2 = "windows user name2"

 

My user.shares file has sections that look like this ...

[sharename]
  path = /mnt/diskn/dir/subdir/...
  valid users = user1, user2, user3
  read only = Yes
  write list = user1
  force user = root
  map archive = Yes
  map system = Yes
  map hidden = Yes
  create mask = 0644
  directory mask = 0755

 

I have one for each disk and several that map to deeper level subdirectories (for example, my iTunes share is called "mp3" and maps to a third level directory).

 

Here is a very comprehensive guide to Samba if you are interested in learning more about Samba.

 

UPDATE:

 

unRAID now includes a feature to allow you to create a file called "smb-extra.conf" in the config folder which can be used to load custom samba shares, a usermap, and other Samba options without the need to overwrite the Samba files as described in this post.

Link to comment
  • 4 months later...

That's helpful, but in the additional shares file, the new share is pointing to a disk share...  Can you have the same thing point to a user share?  For example, let's say I had a user share called "movies" that stretched across four drives...  For data security reasons, the movies share was read-only.  Can I create a new share this way, called "WriteMovies" that effectively points to the user share \\unraid\movies so I can use the unraid logic to choose a disk when writing?

 

Another example would be a user share called "Software", under which I have a directory called "LinuxDistros".  I'd like to have a share point directly at LinuxDistros.  Is that possible?

 

-Steve

Link to comment
  • 2 months later...

I have the same question as 172pilot.  I'd really like to have a single share, ie DriveIndex, which I can map as a network drive, and which would contain folders that act like hard links to the different shares (essentially the same thing as the user share).  One idea I had was to just use an SMB script to share the /mnt/users folder directly, but I wasn't sure if that would horribly screw things up or what.  Any ideas?

 

To be clear, right now I have these shares:

 

Applications

Games

Movies

Music

Operating Systems

TV Shows

 

but each one is a distinct network location.  I'd like to have one mapped network drive that has all those shares as sub-folders.  If I try to map \\tower to a network drive it won't let me because it's not an actual drive.  So I'm thinking about exposing the /mnt/user mount point as an SMB share, which would allow me to do what I'm trying to do.  Are there any caveats or reasons this would be a bad idea?  Are there any alternative/better solutions?

Link to comment
  • 6 months later...

From the warning message displayed in the "Post Reply" page I see that I'm hopping in on this thread rather late (just became a forum member :))

 

bjp999 - thank you!  This is exactly what i was looking for.  I was hoping to have something similar to "/home/username" shares but wasn't certain if this was possible with unRAID.  

 

With this in mind - since you are not utilizing unRAIDs' user shares - is there any way to allow Samba shares configured in this fashion to span multiple disks?  

Link to comment
  • 1 year later...

I am using unraid 4.6 with usersecurity.

I have currently 2 different usertypes - one with read only and one with read/write.

I would like to add "create" right to the read only user - so that user can write files to the (user)share, but still is not allowed to delete any files.

Can anybody give me an instruction what and how to do that? I checked the faq and wiki, but didn't find an answer to it.

Thanks in advance!

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.