Filesharing using Samba: Allowing multiple different users to write to a single share, but not delete from it.

Synopsis

The traditional Unix permissions are very simple in design and are able to meet a lot of requirements. A common problem however (as seen on many Linux forums and mailinglists) is how to allow users to a write to a directory, but not delete from it. This is a valid request, especially on small home networks, where the users may want to add content to a directory (e.g. family pictures), but are wary of somebody accidently deleting the content.

The aim of this guide is to provide a way for multiple different users to write to a single Samba fileshare, but so that they cannot delete any of each others’ content.

Introduction

The guide will use an example to help illustrate some of the concepts. The example scenario will use a family of users (Bob and Jane), who want to share family pictures via a Samba fileshare (Pictures).

Username
Bob
Jane
Share name Purpose
Pictures A share for sharing family photos

Implementation

The guide assumes that you already have two Samba users configured, Bob and Jane.

The first step is to create the “pictures” group and add Bob and Jane to it.

groupadd pictures
usermod -a -G pictures bob
usermod -a -G pictures jane

The second step is to create the pictures directory and set the correct permissions.

mkdir -p /srv/pictures
chmod 1775 /srv/pictures
chown root:pictures /srv/pictures

The third (and final) step is to configure Samba to share the Pictures share.

Edit /etc/samba/smb.conf

[Pictures]
comment = Family pictures
path = /srv/pictures
browseable = no
writeable = yes
create mask = 0644
directory mask = 0755
valid users = @pictures

The share has now been set up successfully, you will need to restart Samba for the changes to take effect.

Tip: Changing File Permissions to read-only via a cronjob

The current configuration allows users to add files to a share but not delete others’ content. They still, however, can delete their own content. One solution to this problem is to write a script (as below) to change the permissions of the share’s content to read-only. The script can then be scheduled to execute regularly, using a cronjob.

#!/bin/bash
chmod -R 755 /srv/pictures/*
chown -R root:root /srv/pictures/*