On Mon, Oct 22, 2007 at 01:01:31PM -0400, Mathias Gug wrote: > I've attached a diff that implements the usershare option with > suggestions discussed previously.
> I've reworked the postinst script to create the sambashare group and the > directory. I've also updated man pages (smb.conf and net) to not > include the steps to setup usershares. I've replaced it with a mention of > the sambashare group. > I haven't address the issue of adding an new option in the configuration > file. IIRC, the conclusion we reached at UDS was that the value of "usershare max shares" should be set at compile time to avoid any hassle of updating smb.conf files, is that how you remember it as well? Also, according to the samba documentation, the permissions on the usershare path need to be 01770 rather than 01775. Please find attached an updated patch which incorporates these two changes, as well as tweaking the documentation patch for consistency. If this looks good to everyone, I can go ahead and commit it straight away. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/
=== added file 'debian/patches/usershare.patch' --- debian/patches/usershare.patch 1970-01-01 00:00:00 +0000 +++ debian/patches/usershare.patch 2007-11-11 17:39:25 +0000 @@ -0,0 +1,195 @@ +Index: samba-3.0.26a/docs/manpages/smb.conf.5 +=================================================================== +--- samba-3.0.26a.orig/docs/manpages/smb.conf.5 ++++ samba-3.0.26a/docs/manpages/smb.conf.5 +@@ -253,7 +253,7 @@ + .PP + usershare path + .RS 3n +-Points to the directory containing the user defined share definitions. The filesystem permissions on this directory control who can create user defined shares. ++Points to the directory containing the user-defined share definitions. The filesystem permissions on this directory control who can create user-defined shares. + .RE + .PP + usershare prefix allow list +@@ -271,32 +271,7 @@ + Names a pre-existing share used as a template for creating new usershares. All other share parameters not specified in the user defined share definition are copied from this named share. + .RE + .PP +-To allow members of the UNIX group +-foo +-to create user defined shares, create the directory to contain the share definitions as follows: +-.PP +-Become root: +- +-.nf +- +-mkdir /usr/local/samba/lib/usershares +-chgrp foo /usr/local/samba/lib/usershares +-chmod 1770 /usr/local/samba/lib/usershares +- +-.fi +-.PP +-Then add the parameters +- +-.sp +- +-.nf +- +- usershare path = /usr/local/samba/lib/usershares +- usershare max shares = 10 # (or the desired number of shares) +- +-.fi +-to the global section of your +-\fIsmb.conf\fR. Members of the group foo may then manipulate the user defined shares using the following commands. ++Members of the \fBsambashare\fR group can manipulate the user-defined shares using the following commands: + .PP + net usershare add sharename path [comment] [acl] [guest_ok=[y|n]] + .RS 3n +@@ -6964,9 +6939,9 @@ + .PP + usershare path (G) + .RS 3n +-This parameter specifies the absolute path of the directory on the filesystem used to store the user defined share definition files. This directory must be owned by root, and have no access for other, and be writable only by the group owner. In addition the "sticky" bit must also be set, restricting rename and delete to owners of a file (in the same way the /tmp directory is usually configured). Members of the group owner of this directory are the users allowed to create usershares. If this parameter is undefined then no user defined shares are allowed. ++This parameter specifies the absolute path of the directory on the filesystem used to store the user-defined share definition files. This directory must be owned by root, and have no access for other, and be writable only by the group owner. In addition the "sticky" bit must also be set, restricting rename and delete to owners of a file (in the same way the /tmp directory is usually configured). Members of the group owner of this directory are the users allowed to create usershares. If this parameter is undefined then no user-defined shares are allowed. + .sp +-For example, a valid usershare directory might be /usr/local/samba/lib/usershares, set up as follows. ++For example, on Debian the default usershare directory of /var/lib/samba/usershares is set up as follows. + .sp + + +@@ -6974,16 +6949,16 @@ + + .nf + +- ls -ld /usr/local/samba/lib/usershares/ +- drwxrwx--T 2 root power_users 4096 2006-05-05 12:27 /usr/local/samba/lib/usershares/ ++ ls -ld /var/lib/samba/usershares/ ++ drwxrwx--T 2 root sambashare 4096 2006-05-05 12:27 /var/lib/samba/usershares/ + + .fi + + .sp +-In this case, only members of the group "power_users" can create user defined shares. ++In this case, only members of the group "sambashare" can create user defined shares. + .sp + Default: +-\fB\fIusershare path\fR = NULL \fR ++\fB\fIusershare path\fR = /var/lib/samba/usershares \fR + .RE + .PP + usershare prefix allow list (G) +Index: samba-3.0.26a/docs/manpages/net.8 +=================================================================== +--- samba-3.0.26a.orig/docs/manpages/net.8 ++++ samba-3.0.26a/docs/manpages/net.8 +@@ -675,9 +675,9 @@ + Store a secret for the sepcified domain, used primarily for domains that use idmap_ldap as a backend. In this case the secret is used as the password for the user DN used to bind to the ldap server. + .SS "USERSHARE" + .PP +-Starting with version 3.0.23, a Samba server now supports the ability for non-root users to add user define shares to be exported using the "net usershare" commands. ++Starting with version 3.0.23, a Samba server now supports the ability for non-root users to add user-defined shares to be exported using the "net usershare" commands. + .PP +-To set this up, first set up your smb.conf by adding to the [global] section : usershare path = /usr/local/samba/lib/usershares Next create the directory /usr/local/samba/lib/usershares, change the owner to root and set the group owner to the UNIX group who should have the ability to create usershares, for example a group called "serverops". Set the permissions on /usr/local/samba/lib/usershares to 01770. (Owner and group all access, no access for others, plus the sticky bit, which means that a file in that directory can be renamed or deleted only by the owner of the file). Finally, tell smbd how many usershares you will allow by adding to the [global] section of smb.conf a line such as : usershare max shares = 100. To allow 100 usershare definitions. Now, members of the UNIX group "serverops" can create user defined shares on demand using the commands below. ++Members of the UNIX group "sambashare" can create user-defined shares on demand using the commands below. + .PP + The usershare commands are: + .IP "" 3n +Index: samba-3.0.26a/source/param/loadparm.c +=================================================================== +--- samba-3.0.26a.orig/source/param/loadparm.c ++++ samba-3.0.26a/source/param/loadparm.c +@@ -1676,7 +1676,7 @@ + pstrcat(s, "/usershares"); + string_set(&Globals.szUsersharePath, s); + string_set(&Globals.szUsershareTemplateShare, ""); +- Globals.iUsershareMaxShares = 0; ++ Globals.iUsershareMaxShares = 100; + /* By default disallow sharing of directories not owned by the sharer. */ + Globals.bUsershareOwnerOnly = True; + /* By default disallow guest access to usershares. */ +Index: samba-3.0.26a/docs/htmldocs/manpages/smb.conf.5.html +=================================================================== +--- samba-3.0.26a.orig/docs/htmldocs/manpages/smb.conf.5.html ++++ samba-3.0.26a/docs/htmldocs/manpages/smb.conf.5.html +@@ -164,8 +164,8 @@ + their own share definitions has been added. This capability is called <span class="emphasis"><em>usershares</em></span> and + is controlled by a set of parameters in the [global] section of the smb.conf. + The relevant parameters are : +- </p><div class="variablelist"><dl><dt><span class="term">usershare allow guests</span></dt><dd><p>Controls if usershares can permit guest access.</p></dd><dt><span class="term">usershare max shares</span></dt><dd><p>Maximum number of user defined shares allowed.</p></dd><dt><span class="term">usershare owner only</span></dt><dd><p>If set only directories owned by the sharing user can be shared.</p></dd><dt><span class="term">usershare path</span></dt><dd><p>Points to the directory containing the user defined share definitions. +- The filesystem permissions on this directory control who can create user defined shares.</p></dd><dt><span class="term">usershare prefix allow list</span></dt><dd><p>Comma-separated list of absolute pathnames restricting what directories ++ </p><div class="variablelist"><dl><dt><span class="term">usershare allow guests</span></dt><dd><p>Controls if usershares can permit guest access.</p></dd><dt><span class="term">usershare max shares</span></dt><dd><p>Maximum number of user defined shares allowed.</p></dd><dt><span class="term">usershare owner only</span></dt><dd><p>If set only directories owned by the sharing user can be shared.</p></dd><dt><span class="term">usershare path</span></dt><dd><p>Points to the directory containing the user-defined share definitions. ++ The filesystem permissions on this directory control who can create user-defined shares.</p></dd><dt><span class="term">usershare prefix allow list</span></dt><dd><p>Comma-separated list of absolute pathnames restricting what directories + can be shared. Only directories below the pathnames in this list are permitted.</p></dd><dt><span class="term">usershare prefix deny list</span></dt><dd><p>Comma-separated list of absolute pathnames restricting what directories + can be shared. Directories below the pathnames in this list are prohibited.</p></dd><dt><span class="term">usershare template share</span></dt><dd><p>Names a pre-existing share used as a template for creating new usershares. + All other share parameters not specified in the user defined share definition +@@ -4509,25 +4509,25 @@ + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare owner only</code></em> = <code class="literal">True</code> + </em></span> + </p></dd><dt><span class="term"><a name="USERSHAREPATH"></a>usershare path (G)</span></dt><dd><p>This parameter specifies the absolute path of the directory on the +- filesystem used to store the user defined share definition files. ++ filesystem used to store the user-defined share definition files. + This directory must be owned by root, and have no access for + other, and be writable only by the group owner. In addition the + "sticky" bit must also be set, restricting rename and delete to + owners of a file (in the same way the /tmp directory is usually configured). + Members of the group owner of this directory are the users allowed to create +- usershares. If this parameter is undefined then no user defined ++ usershares. If this parameter is undefined then no user-defined + shares are allowed. + </p><p> +- For example, a valid usershare directory might be /usr/local/samba/lib/usershares, +- set up as follows. ++ For example, on Debian the default usershare directory of ++ /var/lib/samba/usershares is set up as follows. + </p><p> + </p><pre class="programlisting"> +- ls -ld /usr/local/samba/lib/usershares/ +- drwxrwx--T 2 root power_users 4096 2006-05-05 12:27 /usr/local/samba/lib/usershares/ ++ ls -ld /var/lib/samba/usershares/ ++ drwxrwx--T 2 root sambashare 4096 2006-05-05 12:27 /var/lib/samba/usershares/ + </pre><p> + </p><p> +- In this case, only members of the group "power_users" can create user defined shares. +- </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare path</code></em> = <code class="literal">NULL</code> ++ In this case, only members of the group "sambashare" can create user defined shares. ++ </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare path</code></em> = <code class="literal">/var/lib/samba/usershares</code> + </em></span> + </p></dd><dt><span class="term"><a name="USERSHAREPREFIXALLOWLIST"></a>usershare prefix allow list (G)</span></dt><dd><p>This parameter specifies a list of absolute pathnames + the root of which are allowed to be exported by user defined share definitions. +Index: samba-3.0.26a/docs/htmldocs/manpages/net.8.html +=================================================================== +--- samba-3.0.26a.orig/docs/htmldocs/manpages/net.8.html ++++ samba-3.0.26a/docs/htmldocs/manpages/net.8.html +@@ -249,30 +249,10 @@ + that use idmap_ldap as a backend. In this case the secret is used + as the password for the user DN used to bind to the ldap server. + </p></div><div class="refsect2" lang="en"><a name="id302073"></a><h3>USERSHARE</h3><p>Starting with version 3.0.23, a Samba server now supports the ability for +-non-root users to add user define shares to be exported using the "net usershare" ++non-root users to add user-defined shares to be exported using the "net usershare" + commands. + </p><p> +-To set this up, first set up your smb.conf by adding to the [global] section : +- +-usershare path = /usr/local/samba/lib/usershares +- +-Next create the directory /usr/local/samba/lib/usershares, change the owner to root and +-set the group owner to the UNIX group who should have the ability to create usershares, +-for example a group called "serverops". +- +-Set the permissions on /usr/local/samba/lib/usershares to 01770. +- +-(Owner and group all access, no access for others, plus the sticky bit, +-which means that a file in that directory can be renamed or deleted only +-by the owner of the file). +- +-Finally, tell smbd how many usershares you will allow by adding to the [global] +-section of smb.conf a line such as : +- +-usershare max shares = 100. +- +-To allow 100 usershare definitions. Now, members of the UNIX group "serverops" +-can create user defined shares on demand using the commands below. ++Members of the UNIX group "sambashare" can create user-defined shares on demand using the commands below. + </p><p>The usershare commands are: + + </p><table class="simplelist" border="0" summary="Simple list"><tr><td>net usershare add sharename path [comment] [acl] [guest_ok=[y|n]] - to add or change a user defined share.</td></tr><tr><td>net usershare delete sharename - to delete a user defined share.</td></tr><tr><td>net usershare info [-l|--long] [wildcard sharename] - to print info about a user defined share.</td></tr><tr><td>net usershare list [-l|--long] [wildcard sharename] - to list user defined shares.</td></tr></table><p> === modified file 'debian/patches/series' --- debian/patches/series 2007-09-30 12:33:47 +0000 +++ debian/patches/series 2007-11-11 17:26:46 +0000 @@ -22,3 +22,4 @@ cifs-umount-trailing-slashes.patch cifs-umount-same-user.patch smbpasswd-syslog.patch +usershare.patch === modified file 'debian/samba-common.postinst' --- debian/samba-common.postinst 2007-09-17 20:21:27 +0000 +++ debian/samba-common.postinst 2007-11-11 02:36:25 +0000 @@ -102,3 +102,18 @@ db_stop #DEBHELPER# + +case "$1" in + configure) + # add the sambashare group + if ! getent group sambashare > /dev/null 2>&1 + then + addgroup --system sambashare + fi + + if [ ! -e /var/lib/samba/usershares ] + then + install -d -m 1770 -g sambashare /var/lib/samba/usershares + fi + ;; +esac === modified file 'debian/smb.conf' --- debian/smb.conf 2007-08-11 06:30:09 +0000 +++ debian/smb.conf 2007-11-12 06:46:53 +0000 @@ -214,6 +214,12 @@ ; winbind enum groups = yes ; winbind enum users = yes +# Setup usershare options to enable non-root users to share folders +# with the net usershare command. + +# Maximum number of usershare. 0 (default) means that usershare is disabled. +; usershare max shares = 100 + #======================= Share Definitions ======================= [homes]
