# Samba - World: Write/copy file to share = yes - Delete = No



## Zvoni (Mar 27, 2020)

Hi Folks,
i have a Samba410 on FreeBSD12.1-p3 running succesfully. Share is mounted on a Linux-client using credentials of a user of the FreeBSD-Server (no Wheel-Member)
The Share has its own user/group. The above mentioned user is a member of that group
Works!

Now: The Linux-client is a publicly accessible workstation our videoflyers use to copy all video-files to the server.
On that Linux-client the Screen-Lock is disabled.

Is it possible to set up the share in that way, that the above mentioned user can write/copy files to the share, but not delete any? What about Folders?
I'm aware, that i would have to take that user out of the group resulting in him being "Others", and do a 0777 on the share, but does anyone know how the force file directives (mask/mode) exactly work?

I want to avoid that a user working at that client deletes everything on the share by chance (not to mention a malicious guest "Hey, let's delete everything")

Any ideas?


----------



## zader (Mar 27, 2020)

not sure all of your requirements.. but what I did was put smb in a jail with iocage.. then use iocage to mount the filesystems as read/write only .. this allows you to still have full permissions via the host .. but run smb in a rw mode..  have a look at my how to for an icecast server .. just install smb instead and subst the playlist with whatever data set you want to map.
something like this

`iocage create -n "name.domain.local" -r latest vnet="on" allow_raw_sockets="1" boot="on" defaultrouter="10.100.10.1" ip4_addr="10.100.10.200/24" --thickjail`
`zfs create -o mountpoint=/playlist zpool/playlist`
`mkdir /zpool/iocage/jails/name.domain.local/root/media/playlists`
`iocage fstab -a name.domain.local /playlists /media/playlists nullfs rw 0 0`
`iocage console name`

for reference: https://forums.freebsd.org/threads/icecast-streaming-media-server-in-iocage-jail.73787/
just install smb insted of icecast and create the mounts / nullfs you need

If you need help installing iocage or want another example 
see: https://forums.freebsd.org/threads/jailed-plex-server-with-iocage.73794/
most of the configuration is more geared for streaming tho

If a jail wont work you could use pam and create a policy that way .. or openldap ?


----------



## Zvoni (Mar 27, 2020)

Thx, Mate.
OK, i'll try to explain better: This is not a company-setup with AD-DC, DNS, DHCP, LDAP etc. (no ressources for that).
It's a small network in our skydiving-club, no users with their laptops to authenticate against it
(Au contraire, mon ami: They are not even in the same Address-Range --> Guest-Access on the WiFi-Router with different Address-Range).

Upfront: Jail is not an option, since the router the server is hooked up to, ignores mutiple IP's a machine is sending out, because it allows only one IP per MAC-Address (i've spent fruitless hours trying to spoof the router with bridge, epair with "ether" etc.)

The FreeBSD-Server has 3 HD's:
ada0 with ZFS for ZFS-on-Root/OS
ada1 and ada2 with UFS in a Gluster-Volume (there is a second, identical server there, too, to complement Gluster).
That Gluster-Volume is mounted locally (via fstab) on the Server to a Folder called "Export" (no ZFS-Dataset - basically just a Folder in "/").
And that Folder is the "published" share in the LAN.
On the Server exists a user "videoflyer" within a group "skydive" (there are other members of that group, who are not important to this discussion.).
The Folder "Export" belongs to "zvoni:skydive" with permissions 0775.
smbpasswd has been generated for all users.
my smb4.conf has pretty much the necessary standards for a Fileserver:


```
[global]
.....some standard-entries
create mask = 0775
force create mode = 0775
directory mask = 0775
force directory mode = 0775

[Export]
....some standard-entries
force group = skydive
valid users = @skydive
writable = yes
```

That share is mounted on a Linux-client elsewhere in the LAN, and user "videoflyer" (with same password) is logged in there.
I repeat: Everything works. I can mount the share on that client with the correct credentials. User can write/copy to the share, read/copy from the share.
What i want to achieve (*if it's even possible*), that the user "videoflyer" on the Linux-client can do:
Create Folder on share, --> Works
traverse Folder on share, --> Works
write/copy to share,  --> Works
read/copy from share, --> Works
but not delete anything! --> ??
I was looking at the "mask" and "mode"-directives, and i understand how they work
(mask for maximum-permissions, mode for minimum-permissions).
But when are permissions applied to a file/folder? at creation? after creation (kind a "chmod-after-copy/write-is-done")?

Don't get me wrong: I'm happy how it works. It just bugs me, that the Linux-client is publicly accessible, and someone could just open the Share-Folder and hit "del"


----------



## zader (Mar 29, 2020)

By chance were you using something other than FreeBSD 12.1+ with vnets?   I know jails previous to that require a lot of configuration to get proper networking set up .. 12.1 introduced a complete network stack to jails..  so you can easily set it up to look like anything you like.

another option could be something like vsftp . with user accounts.. you could easily allow read write no delete.. appls like filezilla / scp allow easy access to.

if everything was zfs, it would be a matter of delegating permisisons..

another option, (never tried it) would be an acl solution something like nfsv4acls ..  for reference https://unix.stackexchange.com/ques...issions-to-read-write-but-not-delete-the-file  but again, no clue..


----------



## Zvoni (Mar 29, 2020)

Nope. 12.1 from the beginning.

I'll leave it as it is now, since everything is working in our small club as intended, but i'll have an eye on it


----------

