forum.excito.org

Hi all,

I'm a new Bubba owner since yesterday and I must say, I haven't slept much our first night together

It is a wonderful device and exactly what I have been looking for, for probably a couple of years.

I am a bit puzzled though about the default Samba configuration.
I've created a few user accounts (all allocated to computers on the same network) and when I connect them to B3 with their samba access, they all have access to not just their own /home folder but all others.
I reckon the Add User function in the web interface doesn't just create a user but creates an SMB user in the process. But then it seems that every user has access to the content of all other users (user=@users?) and this doesn't look very sensible to me.
Is there a way to restrict samba access to the own /home folder of a user and just share one specific folder (like ~/Share) and without creating a share definition for every user?
How do you guys (with multiple accounts) sort this?

Thanks

The default setting is indeed not sensible to you, or me, or anyone able to read a config file, but it is sensible from a business perspective. Most units sold will be to families that share a common computer anyway and have little to hide from each other. In such an environment, permissions and restrictions hurt more often than help. However, for people that are aaware of permission and how to handle them, you have near unliminited power to tweak the setup to your likings

Anyway the general maintenance rule for shares is to put them as open as possible, and then set the permissions you want on the actual filesystem. If you also restrict on share level, there's a good chance some of these rules will start to contradict and you spend ages sorting out why you cannot write to some folder. This is actual Microsoft-approved methodology (at least they taught me this in a Win2K class some time ago.)

So all you need to do is "chmod 700 /home/yourname" and you're done

Thanks, and I understand why the smb.conf is what it is, and for what reason. I've thought about your solution (chmod my /home to 700).

Thing is, most of the files in my /home folder come from my desktop, which is also a debian box, and where these files have other file permissions (I use the default Debian umask). Next to that I have a laptop (somewhat the same setup). I keep a few folders in sync, where the B3 is the master of the data. But keeping files in sync with different permissions across several machines is going to complicate matters.

I don't mind my family to see my files. I'm just afraid they will delete files by accident.
I do appreciate the mechanism where a B3 user by default shares a folder and I'd like to keep that in place as much as possible but in a more limited version. Is there a way to change this from the /home folder to the /home/user/Share folder?
path = /home/*/Share doesn't work, but I'm hoping there is some kind of variable I can put in stead of *.

http://www.samba.org/samba/docs/man/man ... onf.5.html

go down to the paragraph that says 'VARIABLE SUBSTITUTIONS'

Part of the issue here is the default umask used by the B3, making everything world readable *and* writeable. The exact reason is unknown, but it would appear that is done to allow some services access to home folders (quite possibly the web-admin interface).

The straight forward solution to get around this is to not share /home but instead enable the individual home shares: The trick here is in the "valid users" control that allows only the owner of the home folder to access it (through Samba). And if you like to share files with all other other users, put it in the storage folder.

Gordon wrote:Part of the issue here is the default umask used by the B3, making everything world readable *and* writeable. The exact reason is unknown, but it would appear that is done to allow some services access to home folders (quite possibly the web-admin interface).

The straight forward solution to get around this is to not share /home but instead enable the individual home shares:

Code: Select all

[homes]
   comment = Home Directories
   browseable = no
   read only = no
   create mask = 0700
   directory mask = 0700
   valid users = %S

The trick here is in the "valid users" control that allows only the owner of the home folder to access it (through Samba). And if you like to share files with all other other users, put it in the storage folder.

Thanks Gordon. Let me try that out.
So far, I've taken a similar approach but only by changing the path of the [home] share to /home/%U, leaving permissions intact and sharing files only through the storage folder. I think this works about the same way.

Other solution would be to make use of the private folder that is by default in every /home folder with chmod 700.