How to allow Windows pc to modify Linux files over Samba server without allowing full 777 access?

Question

I recently set up Samba on a Linux server and discovered the shared drive on a Windows machine with ease, but was not able to copy files to that drive as it would ask for extra permissions.

I was able to write to sub-folders with 777 permissions, but the main drive had 775.

As i am advised that 777 permissions are highly un-secure, how can I modify groups to include users browsing in from Windows who do not have user-level permissions in the Linux server?

This is a home network, and access to the Samba server is limited through a global setting that prevents access from outside the network (by adding the following lines to /etc/samba/smb.conf)

[global]
hosts allow = 192.168.0.
hosts deny = ALL

Therefore I am not concerned about security within the network - if a user is on the 192.168.0.x subnet I am happy to assume that they are legitimate and do not want to add further authentication steps at the moment.

Answer 1

I see what you want. All users/computers on your LAN should be 'guests' and have full 'read/write' access to the file share.

Steps:

Check Samba config. Does the share include these:

[Share]
available = yes
browsable = yes
public = yes
writeable = yes

Check POSIX permissions. Example ls -lh:

drwxrws---+ 1 nobody nogroup  252 May 12 14:55 Music

You will want to have the sticky bit there otherwise the fileshare won't behave like you would expect in windows. chmod 2770 [dir]... To apply with permission to all the directories use find. Example

find . -type d -exec chmod 2770 {} \;
find . -type f -exec chmod 2760 {} \;

You will also want to set the group to be nogroup, which is the default guest group for samba.

Finally acls. Use getfacl and setfacl. You'll want to setup defaults for the user nobody and the group nogroup. Once you've done that, anything that gets created via samba will inherit good permissions. Here's an example directory ACL:

# file: Downloads
# owner: nobody
# group: nogroup
# flags: -s-
user::rwx
group::rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:mask::rwx
default:other::---

To get some defaults going, use find:

find . -type d -exec setfacl -d -m u::rwx {} \;
find . -type d -exec setfacl -d -m g::rwx {} \;

To fix up existing files:

find . -type f -exec chgrp nogroup {} \;
find . -type f -exec chmod 660 {} \;
find . -type f -exec setfacl -m g::rw {} \;

WANT MORE !

Let's just say that you don't want to change the POSIX group. Then you can use the ACL to explicitly add the group. Example:

setfacl -m g:linuxgroup:rw [filename]

With these settings I share between ubuntu, windows, RPi, android, and other linux apps.

Answer 2

Typically one doesn't want to give everyone with network access write access to a directory. There often better solutions to share files among a user group, e. g. giving everybody their own network share with (partial) read access for everybody else. That's where the recommendation to not use world-writable access permissions comes from.

However, in your case that seems to be exactly what you want. So go ahead and use chmod -R a+rwX /path/to/share¹ along with appropriate Samba configuration entries like writable = yes.

---

¹ a+rwX means that all (owner, group, and others) will receive read, write, and conditional exexute permissions. “conditional” means that execute/traverse permissions will only be added if execute/traverse permission is already granted to at least one access group (owner, group, others). This is useful if you want to extend execute/traverse permissions of those files and directories that are already executable/traversable by the owner.