Jump to content

Write Once Read Many (WORM) file archive


dacne

Recommended Posts

I'm trying to create our family foto archive. I'd like to set it up as WORM (write once read many), like a CD-R. A user may upload a file onto the server, but may not overwrite or remove it. Is this possible with the included vsftpd? Is there perhaps a filesystem/driver setting for WORM? Thanks for any info.

Link to comment

You can do that using a custom SMB share:

 

telnet your server, and create a folder under "/mnt/user/" :

 

Ex: mkdir /mnt/user/Photos

 

After that, edit the file "config/smb-extra.conf" at your usb drive:

 

Ex:

 

[Photos]

path = /mnt/user/Photos

read only = No

create mask = 0444

directory mask = 0777

map archive = No

map hidden = No

map system = No

browseable = Yes

browsable = Yes

 

How it work:

 

This will create a "Photos" share on your server, that will be browseable and writeable, and every file in the share will be created with read-only permission (create mask = 0444), so you won't be able to move, write or erase it after created. To modify the files, you will need to do it via telnet.

Link to comment

Correct me if I'm wrong here, but if directory permissions are 0777, then the directory can be changed so files can be moved or removed.

 

I think the user share needs to be set to readonly

Then use a disk share to populate the Photo directory.

 

There are other features such as admin users =

which allow certain users read/write while the rest of the users are read only.

Link to comment

Correct me if I'm wrong here, but if directory permissions are 0777, then the directory can be changed so files can be moved or removed.

 

I think the user share needs to be set to readonly

Then use a disk share to populate the Photo directory.

 

There are other features such as admin users =

which allow certain users read/write while the rest of the users are read only.

 

You're partially right, all folders can be renamed, empty folders can be deleted, and files can be moved between them, but all files are read-only, so them and non empty folders can't be erased.

 

He wants to allow all users to freely populate the share, but not erase/overwrite the pictures. IMO that's the way to to that.

Link to comment

Correct me if I'm wrong here, but if directory permissions are 0777, then the directory can be changed so files can be moved or removed.

 

I think the user share needs to be set to readonly

Then use a disk share to populate the Photo directory.

 

There are other features such as admin users =

which allow certain users read/write while the rest of the users are read only.

 

You're partially right, all folders can be renamed, empty folders can be deleted, and files can be moved between them, but all files are read-only, so them and non empty folders can't be erased.

 

He wants to allow all users to freely populate the share, but not erase/overwrite the pictures. IMO that's the way to to that.

I'm not sure how it works via samba, but in unix/linux if you have write permission on the directory you can remove any of the files in it, regardless of the file permissions.

 

There may be some extended file/directory permission bits you can set to prevent that, but 777 sure isn't how to do it.

Link to comment

I've tested here and the result is the same I posted before; files are created as 444, and folders 777, you can do anything to folders but not to files, even those files created beneath the "executable" folders. As I remember samba doesn't overwrites any file permission, but it treat each file or folder singly, so the parent permissions doesn't affect its children. Therefore in samba you can have a 777 folder and a 444 child file, and that file maintain its read-only attribute on the share. If you browse that folder in the terminal, you can do anything to it, as the parent folder is universally writable.

 

Joe, do you have any different approach? I know that attribute 600 on dirs and 400 on files should do the same, but what's your opinion?

Link to comment

I'd want to disallow moving files/directories. Too many experiences with accidentally dragging one folder inside another. I'm striving for a structured accumulating archive - once a file/directory is created it stays, like a CD-R. I'm actually going to have samba shares read only. That leaves ftp for uploads. VSFTPD has an option cmds_allowed which apparently allows just the commands specified. I need to come up with a list of commands wich will allow file/directory creation but not modification, deletion etc. Please share any suggestions to achieve this WORM like setup. Thanks!

Link to comment

I've tested here and the result is the same I posted before; files are created as 444, and folders 777, you can do anything to folders but not to files, even those files created beneath the "executable" folders. As I remember samba doesn't overwrites any file permission, but it treat each file or folder singly, so the parent permissions doesn't affect its children. Therefore in samba you can have a 777 folder and a 444 child file, and that file maintain its read-only attribute on the share. If you browse that folder in the terminal, you can do anything to it, as the parent folder is universally writable.

 

Joe, do you have any different approach? I know that attribute 600 on dirs and 400 on files should do the same, but what's your opinion?

I'm happy to learn that SAMBA can give the desired results, even if it can be subverted by someone at the linux command line level.

 

I do know for certain that the permissions are changing in 5.0.  There is in fact a conversion utility script to run when you first move to 5.0.

 

It does this for each share under /mnt/disk*

 

# remove Group and Other read, write, or execute/search permission

chmod -R go-rwx $share

 

# Removes execute permission for owner of files and directories

chmod -R u-x $share

 

# Gives the group the same permissions as the owner.

chmod -R g+u $share

 

# Set the Execute/search bit for owner and group if a directory.

chmod -R ug+X $share

 

# Set the group to users.  (All files/directories will be in group users)

chgrp -R users $share

 

# set the owner of the files and directories to owner "nobody" 

chown -R nobody $share

 

Link to comment

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...