How to allow Windows pc to modify Linux files over Samba server without allowing full 777 access?

permissions windows samba
13,061

Solution 1

Typically one doesn't want to give everyone with network access write access to a directory. There often better solutions to share files among a user group, e. g. giving everybody their own network share with (partial) read access for everybody else. That's where the recommendation to not use world-writable access permissions comes from.

However, in your case that seems to be exactly what you want. So go ahead and use chmod -R 0777 /path/to/share along with appropriate Samba configuration entries like writable = yes.

Solution 2

I see what you want. All users/computers on your LAN should be 'guests' and have full 'read/write' access to the file share.

Steps:

Check Samba config. Does the share include these:

[Share]
available = yes
browsable = yes
public = yes
writeable = yes

Check POSIX permissions. Example ls -lh:

drwxrws---+ 1 nobody nogroup  252 May 12 14:55 Music

You will want to have the sticky bit there otherwise the fileshare won't behave like you would expect in windows. chmod 2770 [dir]... To apply with permission to all the directories use find. Example

find . -type d -exec chmod 2770 {} \;
find . -type f -exec chmod 2760 {} \;

You will also want to set the group to be nogroup, which is the default guest group for samba.

Finally acls. Use getfacl and setfacl. You'll want to setup defaults for the user nobody and the group nogroup. Once you've done that, anything that gets created via samba will inherit good permissions. Here's an example directory ACL:

# file: Downloads
# owner: nobody
# group: nogroup
# flags: -s-
user::rwx
group::rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:mask::rwx
default:other::---

To get some defaults going, use find:

find . -type d -exec setfacl -d -m u::rwx {} \;
find . -type d -exec setfacl -d -m g::rwx {} \;

To fix up existing files:

find . -type f -exec chgrp nogroup {} \;
find . -type f -exec chmod 660 {} \;
find . -type f -exec setfacl -m g::rw {} \;

WANT MORE !

Let's just say that you don't want to change the POSIX group. Then you can use the ACL to explicitly add the group. Example:

setfacl -m g:linuxgroup:rw [filename]

With these settings I share between ubuntu, windows, RPi, android, and other linux apps.

Share:
13,061

Related videos on Youtube

Tombas
Author by

Tombas

Some dude who's interested in stuff. What else do you need?

Updated on September 18, 2022

Comments

  • Tombas
    Tombas over 1 year

    I recently set up Samba on a Linux server and discovered the shared drive on a Windows machine with ease, but was not able to copy files to that drive as it would ask for extra permissions.

    I was able to write to sub-folders with 777 permissions, but the main drive had 775.

    As i am advised that 777 permissions are highly un-secure, how can I modify groups to include users browsing in from Windows who do not have user-level permissions in the Linux server?

    This is a home network, and access to the Samba server is limited through a global setting that prevents access from outside the network (by adding the following lines to /etc/samba/smb.conf)

    [global]
hosts allow = 192.168.0.
hosts deny = ALL

    Therefore I am not concerned about security within the network - if a user is on the 192.168.0.x subnet I am happy to assume that they are legitimate and do not want to add further authentication steps at the moment.

    • nullmeta
      nullmeta almost 7 years
      The permissions should be based off of the user you are logging in with. Does that user own the shared directory?
    • nullmeta
      nullmeta almost 7 years
      Maybe reference this guide to see if you missed a step in configuring samba. Otherwise include how you setup samba, how your share looks in smb.conf, if your logging in with a local user (on the Linux machine) and what user/group the share belongs to
    • David Foerster
      David Foerster almost 7 years
      Who is supposed to have write access on the share and the files and directories below it? A set of users, one or more user groups, everyone or even anonymous users (i. e. "guests")?
    • Tombas
      Tombas almost 7 years
      @nullmeta The user I administrate the Linux Samba server owns the directory and has full read/write access - the problem I have is that I cannot then write to the drive from a Windows machine on the same network (I can read fine though)
    • Tombas
      Tombas almost 7 years
      @DavidFoerster The ideal is that any user that is on my local network should be able to have full read/write access to the drive (I have tried to limit to home network by adding 'hosts allow =' and 'hosts deny =' to the [global] section; I assume that this works).
    • David Foerster
      David Foerster almost 7 years
      Do all these users authenticate themselves when they connect to the network share, e. g. via user name and password or some Windows domain access token? Or should anyone with network access to the Samba server be able to read and write on the network share?
    • Tombas
      Tombas almost 7 years
      @DavidFoerster actually I am happy with either but have not yet been presented with login dialogue (I tried to "use different credentials" but this did not work with the samba credentials I have set up)
    • David Foerster
      David Foerster almost 7 years
      Alright. Could you please edit your question to clarify that? It’s best to have everything relevant in one place. Additionally, comments may be deleted for various reasons. I'll write an answer in the mean time.
  • Tombas
    Tombas almost 7 years
    Awesome answer, thanks! I have +1'd it but it won't show yet... I may get back to you for more once I understand what you have written lol!
  • Mark Kramer
    Mark Kramer almost 7 years
    But that doesn't answer the question. He needs to know how to be able to write files from Windows over the network without giving 777 permissions. As do I. Is it possible to add a Windows user to a Linux usergroup?
  • David Foerster
    David Foerster almost 7 years
    @MarkKramer: Sometimes a suitable answer requires to side-step the question and challenge its underlying assumptions. Apparently my answer solved the implicit question underlying the explicit one here or OP wouldn't have accepted it.
  • Mark Kramer
    Mark Kramer almost 7 years
    Yeah, I thought that was strange. Anyway, I found an answer answer here.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Why can't I get to a shared folder from Windows
Unable to get execute bit on Samba share working with Windows 7 client
Permissions with writing NTFS partition from Windows
Samba shares are read-only from both Windows and Linux
How can I access a samba share in a workgroup without requiring credentials?
How to empty Samba network cache on Linux server?
Problems with "Read Only" on a Samba share from Windows machines
Samba share accessible via IP address, but not via hostname
Execute a .exe on a samba share
How to create a Samba share that is writable from Windows without 777 permissions?