Problem with samba share at / level

[NicholasH]

Hi,
I've been trying to create a samba share at root level of the file system, /familyshare and I've had real problems with it. I've tried all sorts of definitions such as:

Code: Select all

[raspberrypi]
   comment = Pi share
   path = /familyshare
   public = no
   valid users = @family,nick,mum
   browseable = yes
   writeable = yes
   force create mode = 0660
   force directory mode = 0770

nick and mum are members of the family group but this was belt and braces. Directory permissions were 666 and 777 with various owners root:root, mum:mum, mum:family etc
I could map to the share in Win7 but could not browse it, always getting an "Access denied" message when I select the share. When I created the share under /home (so /home/familyshare), it worked. On my ClearOS system (RHEL based distro) there is no problem hanging the share off root level. Have you any idea what is going wrong in Raspbian?

[DougieLawson]

Have you created the directory you're trying to share?
sudo mkdir /familyshare

Much easier and much better is to give each family member a userid/password on your Linux box and then share the home directories.

sudo adduser debbie --shell /usr/sbin/nologin --home /home/debbie # follow the prompts
sudo smbpasswd debbie # follow the prompts
change the name unless your wife is also called Debbie. That shell means they can't login on Linux directly but they have a shareable directory.

Add this stanza to /etc/samba/smb.conf

Code: Select all

[homes]
        comment = Home Directories
        valid users = %S
        read only = No
        create mask = 0644
        oplocks = no
        blocking locks = no
        strict locking = no
        locking = no

[NicholasH]

I did have the homes working but did not want to use them because I log in as nick and my mother's PC (although she does not know it) was logging in as mum. I have an OpenVPN tunnel between her Pi (as a client) and my ClearOS server and I can log in to the Pi by ssh through the tunnel but ssh through OpenVPN is dire. It seemed to me the bast thing to do was to create a common group share as I do on my ClearOS box with everything hanging of /shares (from where I have three different shares) then map to it from my PC at home (50 miles away). On the Pi I just wanted one single top level share. I did create the share directory and could map to it. Just when I tried to access it by selecting it in Win7 I got Access Denied and I could not work out why. Creating the group share under /home works and I am truly puzzled.

The user mum was set up (but with a login shell) with a password and could map to her home directory. She could even map to the top level share. She just could not access it. It is similar for me (nick) but I was the original Pi user and I have sudo access.

[NicholasH]

I was just checking and it looks like directory permissions were 666 and not 777. Changing them to 777 works. What a waste of time.

[DougieLawson]

You should never need to use 777 or 666. That's an unnecessary security exposure.

777 - read, write, execute for owner, read, write, execute for group, read, write, execute for world
755 - read, write, execute for owner, read, execute for group, read, execute for world
750 - read, write, execute for owner, read, execute for group, nothing for world
700 - read, write, execute for owner, nothing for group, nothing for world

666 - read, write for owner, read write for group, read, write for world
644 - read, write for owner, read for group, read for world
640 - read, write for owner, read for group, nothing for world
600 - read, write for owner, nothing for group, nothing for world

You need execute permission to traverse a directory and read files or sub-directories within it. Only permit the bare minimum needed to complete a task.

[rpdom]

You should never need to use 777 or 666. That's an unnecessary security exposure.

777 - read, write, execute for owner, read, write, execute for group, read, write, execute for world
755 - read, write, execute for owner, read, execute for group, read, execute for world
750 - read, write, execute for owner, read, execute for group, nothing for world
700 - read, write, execute for owner, nothing for group, nothing for world

007 - the world is not enough?

[NicholasH]

777 was a sledgehammer to try to get it to work. On my own server I have 770 with user and group ownership, not root:root so I'll probably swap to that.

I don't understand why it needs 7 and not 6 but I must have come across that before as it is what I have on my server.

[DougieLawson]

The cd command needs execute permission to enter a directory.

[rpdom]

777 was a sledgehammer to try to get it to work. On my own server I have 770 with user and group ownership, not root:root so I'll probably swap to that.

I don't understand why it needs 7 and not 6 but I must have come across that before as it is what I have on my server.

For a file, 7 means rwx = read/write/executable.
For a directory, 7 means rwx = read/write/explorable.

[NicholasH]

For a directory, 7 means rwx = read/write/explorable.

I noticed that on DougieLawson's posts but it did not quite sink in.

I guess I didn't notice before as I am normally root when administering my own server.

[DougieLawson]

I guess I didn't notice before as I am normally root when administering my own server.

Which is all good fun until you hit the wrong directory with rm -rf ...

I tend to use my dougie id for everything and my pi id for writing code samples for the forum. I only use root or sudo when I need. My dougie id is in sudoers, my pi id isn't. I need to get the non-root GPIO stuff working.

[NicholasH]

I struggle administering things as a non-root user using sudo all the time as it knocks out using WinSCP and its editor. So much so I ended up setting a root password on the Pi as it was driving me scatty.