Samba's "read list" and "write list" configuration directives
Fri, 2007.03.23 - 14:58 — müzso
The manpage description of "read list" and "write list" might be a little bit confusing to a Samba-newbie like me. 
I thought that to restrict users I just had to set "read list" to an empty value and "write list" to a set of users+groups. However these do not work as I thought.
O'Reilly has a nice guide to Samba and they explain it more clearly: "These options can be used on a per-share basis to restrict a writable share or grant write access to specific users in a read-only share, respectively."
So neither of these does affect whether a user can access a share or not. For that you have to use the "valid users" directive.
Eg. if you want a share to be accessible by users of group1 and group2, but allow write only to members of group2, then you have to use the following directives for the share:
PS: of course you have to keep in mind that the rules in smb.conf do not override the OS-level permission rules. Eg. if you want to give access to a share to two groups, then you have to give world-wide access to the directory of that share since the directory on the OS-level can belong only to one group. Or you could use OS-level ACLs, but this is not very common in the linux world.
I thought that to restrict users I just had to set "read list" to an empty value and "write list" to a set of users+groups. However these do not work as I thought.O'Reilly has a nice guide to Samba and they explain it more clearly: "These options can be used on a per-share basis to restrict a writable share or grant write access to specific users in a read-only share, respectively."
So neither of these does affect whether a user can access a share or not. For that you have to use the "valid users" directive.
Eg. if you want a share to be accessible by users of group1 and group2, but allow write only to members of group2, then you have to use the following directives for the share:
valid users = @group1, @group2
read only = yes
write list = @group2PS: of course you have to keep in mind that the rules in smb.conf do not override the OS-level permission rules. Eg. if you want to give access to a share to two groups, then you have to give world-wide access to the directory of that share since the directory on the OS-level can belong only to one group. Or you could use OS-level ACLs, but this is not very common in the linux world.
All of my own contents here (if not noted otherwise) are licensed under the
Creative Commons Attribution-NonCommercial-ShareAlike 4.0 License. My posts reflect my personal opinion and shall not be associated with any of my employers.
Creative Commons Attribution-NonCommercial-ShareAlike 4.0 License. My posts reflect my personal opinion and shall not be associated with any of my employers.
Comments
have you try it?
in http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
section "write list (S)" states:
"By design, this parameter will not work with the security = share in Samba 3.0."
Re: have you try it?
write listwon't work withsecurity = share, then it's probably the reason why it does not work for you either.