Tech ArticlesIf your business is large or small or have more than one person using your files at home you've probably had to deal with shared server space. Not space for specific users, but space for a group of people to access and update at will. In this article I will show you how to set up a shared workspace with Samba. We will allow a group of users access to the workspace and solve one of the most common problems: file permissions.
Our Needs
For our shared workspace we will have a few requirements:
- Files must be accessible by a group of users.
- Files must be writeable by all members of the group.
- File owners must be preserved so that administrators and other users can see who last updated a file.
All three points are easy to accomplish but the last is sometimes overlooked. We won’t do that here. For our example we will share the web server’s document root on my test server and allow only members of the web group access to it.
Creating the Share
We will start off with a basic Samba share. We will call the shared WWW and it will be in /home/httpd/htdocs. The relevant configuration file entries are as follows:
[WWW] comment = Web server document root path = /home/httpd/htdocs read only = no
The entries here are pretty straight forward. Samba defaults to read only shares so specifically allowing write access is necessary. Currently this share is subject to the global permissions of Samba. Personally I like to use a special group for remote users, so presently anyone who is granted remote access to the machine can access this share. This isn’t what we want.
Customizing the Share
Now that we have a working share we need to restrict access to our web group and ensure that the proper permissions. We will use the valid users option to restrict access to the share. valid users takes lists of users or groups. Group names must be prefixed by an @. The name of my web group is apache.
To solve the problem of group write access we will employ two tactics. First we will force the group owner of new files to be that of the web group. Group ownership of files is set to the login group (or primary group) of the user creating the file. I use private primary groups so we will use the force group option to temporarily change the primary group of connected users.
Next we will use two options to change file permissions so that the group can write to them regardless of the owner. They are force create mode and force directory mode. force create mode changes file permissions of create files to the specified file mode. force directory mode has a similar effect on directories. We will set both to allow the files to be written to by the group.
The completed share entry is as follows:
[WWW] comment = Web server document root path = /home/httpd/htdocs read only = no valid users = @apache force group = apache force create mode = 0664 force directory mode = 0775
Summary
That’s all there is to it. You can also use this setup to to create shareable media directories (everyone in your house sharing MP3s), create editing drop boxes (with slight permissions tweaking), or other collaborate spaces. If you have more questions about Samba configuration see the online manual available at http://us1.samba.org/samba/docs/.