DSM-G600, DNS-3xx and NSA-220 Hack Forum

re: user changing their own passwords

the web interface does not support this functionality but in a different way this could probably be done if users telnet login into the NAS and run chpasswd. It's not a user friendly process.

re: the folder security question

jayas asked a similar question in his post re: can users belong to multiple groups for mounting shares?. The short answer is yes. The longer answer is you have to manually modify the underlying OS user database (passwd, groups) and default samba configuration with fun_plug and the sambafix.sh script.

I just thought of something else. Maybe someone with better knowledge of Samba/Linux can help me out.

As I said above I can now set permissions to multiple groups/users for each share. Is it possible to restrict the creation of folders through samba? I'd like to be able to define the folder structure and make sure that this is not changed by the users. I apologize if this is something trivial, but I came up empty while looking through samba how-to.

Thanks in advance

I've been looking into it that way as well but haven't found anything useful. It seems that if you give it write permissions to create files, it also allows creation of directories, and there is no way to make that distinction .

I have run into some problems regarding giving write access to a particular person. I have the following share in my smb.conf:

[username]
comment = 
path = /mnt/HD_a2/Home/username
valid users = @Admin @PowerUsers username
write list = username
writeable = yes
guest ok = no
oplocks =  yes
map archive = yes

It should give user username read/write access to the share, and read only access to users in groups Admin and PowerUsers. Unfortunately it doesn't seem to be doing this. It's allowing everyone in those groups write access to the share. If I set it to read only = yes, then no one has write access to it.

Any idea what I'm doing wrong?

Thanks in advance

I managed to fix it. Setting it to writeable = yes apparently ignores the write list and gives write access to all valid users:

[username]
comment = 
path = /mnt/HD_a2/Home/username
valid users = @Admin @PowerUsers username
read only = yes
write list = username
guest ok = no
browseable = No

That seems to be working well. Read access to both groups and the user, and write access only for the user.

Thanks for the help

I'm learning as I go and remembered your earlier question ...

Viracocha wrote:

Is it possible to restrict the creation of folders through samba? I'd like to be able to define the folder structure and make sure that this is not changed by the users.

I found two ways to do this, both by setting folder permissions and smb.conf settings.

bulliver posted a Quick and Dirty Guide to Linux File Permissions at linuxquestions.org

bulliver wrote:

THE STICKY BIT

Linux directory access permissions say that if a user has write permissions on a directory, they can rename or remove files there,even if the files don't belong to them.
When the owner of the directory sets the sticky bit, renames/removals are only allowed by the files owner, the directories owner and the root user.

zacch posted another method, How to restrict user deleting folder via samba at linuxforums.org

zacch wrote:

to prevent deleting a directory

you need to set non-writable the parent of this directory

e.g. to prevent people from deleting the two folder under: /one/two

you need to set /one to chmod 755

then nobody can create or delete subfolders under /one, except the owner of one

one: 755
two: 777

then anyone can create/delete files inside two, but cannot delete the folder two

Either of these methods can be complimented with creation mask settings in smb.conf settings for new files/folders to persist the settings.     Chapter 8. Advanced Disk Shares of the online O'Reilly Using Samba book has a short illustration of settings that would compliment the second method.

[data]
    path = /one
    create mask = 744
    directory mask = 755
    force user = joe
    force group = accounting

Hope this helps.