Samba help - Allow users to create but not delete files

[Chaotic42]

I've got a Samba share set up with a bunch of Windows 10 clients. I'm trying to set it up such that users can create, but not delete files. I thought that forcing create mode to 555 would do this, but it doesn't seem to. I'm not having a lot of luck on Google. Here's my smb.conf:

[global]
workgroup = <WORKGROUP NAME>
server string = %h server (Samba, Ubuntu)

inherit permissions = yes
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = no

[<share name>]
path = /mnt/8TB
public = no
valid users = <The username for Samba>
create mask = 555
force create mode = 555
read only = no

Any thoughts? If I remove "read only = no", my user can't write.

 

[Bardock]

this should work

http://stackoverflow.com/questions/869536/ddg#869678

It might be enough to set the sticky bit on the directories. Users will be able to delete any files they own, but not those of other users. This may be enough for your use case. On most systems, /tmp is setup this way (/tmp is set 1777)
chmod 1775 /controlled
However, If you want more control, you'll have to enable ACL on the filesystem in question.
In /etc/fstab, append acl to the flags:
/dev/root / ext3 defaults,acl 1 1



You can then use setfacl/getfacl to control and view acl level permissions.

Example: (Create files, once written, they are read only, but CAN be deleted by owner, but not others.)

setfacl --set u::rwxs,g::rwx /controlled
setfacl -d --set u::r-x,g::r-x,o::- /controlled

You can set a default acl list on a directory that will be used by all files created there.
As others have noted, be careful to specify exactly what you want. You say "write" - but can users overwrite their own files? Can they change existing content, or just append? Once written, it's read only? Perhaps you can specify more detail in the comments.
Lastly, selinux and grsecurity provide even more control, but that's a whole other can of worms. It can be quite involved to setup.

 

[Chaotic42]

Thanks for the advice. I think I'm going to have to do it the hard way, I want the Samba user to be able to write but not delete its own files. It's not a huge deal, but I'll let you know if I get a solution going

 

[skyking]

after a usr creates the file, automate a move to a read-only share. I don't have the script for you, but that;'s my gut on it.
rsync could do the heavy lifting.

 

[robb_nl]

The downside would be that files can't be changed anymore.... I get the feeling that that still should be an option.
Maybe you can introduce a share recycle bin so deleted items can be retrieved again?

 

[skyking]

edit equals the property of deleting the entire contents.
a user can always copy and then edit that copy.