Create samba share with only write and no read permissions
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
Use case
I'm the only user. I have an ubuntu NAS with fulldisk encryption, and I'm trying to back up my own Windows machines to that. I want to have a USB stick that I can boot from to clone the Windows drives to the NAS, but I don't want the whole backup share to be readable by anyone who may come across that USB stick with the share credentials on it. Can you think of a better solution?
What I was thinking could work
I've been searching but unable to find what I need, everything I have found is about simply enabling write access to a share, which is not what I want to do.
I would like to create a samba share on my ubuntu machine where users have only write permissions. I would like them to be able to create files but not be able to read them, nor list folders inside the share.
This is for the purpose of backup. I want to have a bootable usb drive that I can boot from that will take disk images of the drives in that machine and save to the samba share, but I don't want that usb to have access to all the images.
I'm happy if it just fails if a file already exists, I will ensure the filenames do not conflict by using drive UUIDs/time.
backup samba
 |Â
show 2 more comments
up vote
0
down vote
favorite
Use case
I'm the only user. I have an ubuntu NAS with fulldisk encryption, and I'm trying to back up my own Windows machines to that. I want to have a USB stick that I can boot from to clone the Windows drives to the NAS, but I don't want the whole backup share to be readable by anyone who may come across that USB stick with the share credentials on it. Can you think of a better solution?
What I was thinking could work
I've been searching but unable to find what I need, everything I have found is about simply enabling write access to a share, which is not what I want to do.
I would like to create a samba share on my ubuntu machine where users have only write permissions. I would like them to be able to create files but not be able to read them, nor list folders inside the share.
This is for the purpose of backup. I want to have a bootable usb drive that I can boot from that will take disk images of the drives in that machine and save to the samba share, but I don't want that usb to have access to all the images.
I'm happy if it just fails if a file already exists, I will ensure the filenames do not conflict by using drive UUIDs/time.
backup samba
1
See also superuser.com/questions/646442/â¦
â Nick ODell
Jul 5 at 7:10
See also - askubuntu.com/questions/534251/⦠& serverfault.com/questions/114270/â¦.
â slmâ¦
Jul 5 at 7:24
Most of the answers are showing that this isn't possible as described, the only solution that looked worthwhile was the serverfault one which suggests using the student/teacher ownership paradigm.
â slmâ¦
Jul 5 at 7:43
1
You could configuressh
to allow you to connect to the NAS, using a public key. It should be possible to configure it to only allow you to deliver files.
â ctrl-alt-delor
Jul 5 at 13:43
@ctrl-alt-delor Thanks, that does sound like a good way to achieve what I want. Do you have any advice or a link on how to achieve that with ssh? I know how to set up ssh access with a key but not how to configure it to only allow delivering files without shell access or access to other folders.
â localhost
Jul 5 at 23:01
 |Â
show 2 more comments
up vote
0
down vote
favorite
up vote
0
down vote
favorite
Use case
I'm the only user. I have an ubuntu NAS with fulldisk encryption, and I'm trying to back up my own Windows machines to that. I want to have a USB stick that I can boot from to clone the Windows drives to the NAS, but I don't want the whole backup share to be readable by anyone who may come across that USB stick with the share credentials on it. Can you think of a better solution?
What I was thinking could work
I've been searching but unable to find what I need, everything I have found is about simply enabling write access to a share, which is not what I want to do.
I would like to create a samba share on my ubuntu machine where users have only write permissions. I would like them to be able to create files but not be able to read them, nor list folders inside the share.
This is for the purpose of backup. I want to have a bootable usb drive that I can boot from that will take disk images of the drives in that machine and save to the samba share, but I don't want that usb to have access to all the images.
I'm happy if it just fails if a file already exists, I will ensure the filenames do not conflict by using drive UUIDs/time.
backup samba
Use case
I'm the only user. I have an ubuntu NAS with fulldisk encryption, and I'm trying to back up my own Windows machines to that. I want to have a USB stick that I can boot from to clone the Windows drives to the NAS, but I don't want the whole backup share to be readable by anyone who may come across that USB stick with the share credentials on it. Can you think of a better solution?
What I was thinking could work
I've been searching but unable to find what I need, everything I have found is about simply enabling write access to a share, which is not what I want to do.
I would like to create a samba share on my ubuntu machine where users have only write permissions. I would like them to be able to create files but not be able to read them, nor list folders inside the share.
This is for the purpose of backup. I want to have a bootable usb drive that I can boot from that will take disk images of the drives in that machine and save to the samba share, but I don't want that usb to have access to all the images.
I'm happy if it just fails if a file already exists, I will ensure the filenames do not conflict by using drive UUIDs/time.
backup samba
edited Jul 5 at 13:38
ctrl-alt-delor
8,68331947
8,68331947
asked Jul 5 at 6:51
localhost
1243
1243
1
See also superuser.com/questions/646442/â¦
â Nick ODell
Jul 5 at 7:10
See also - askubuntu.com/questions/534251/⦠& serverfault.com/questions/114270/â¦.
â slmâ¦
Jul 5 at 7:24
Most of the answers are showing that this isn't possible as described, the only solution that looked worthwhile was the serverfault one which suggests using the student/teacher ownership paradigm.
â slmâ¦
Jul 5 at 7:43
1
You could configuressh
to allow you to connect to the NAS, using a public key. It should be possible to configure it to only allow you to deliver files.
â ctrl-alt-delor
Jul 5 at 13:43
@ctrl-alt-delor Thanks, that does sound like a good way to achieve what I want. Do you have any advice or a link on how to achieve that with ssh? I know how to set up ssh access with a key but not how to configure it to only allow delivering files without shell access or access to other folders.
â localhost
Jul 5 at 23:01
 |Â
show 2 more comments
1
See also superuser.com/questions/646442/â¦
â Nick ODell
Jul 5 at 7:10
See also - askubuntu.com/questions/534251/⦠& serverfault.com/questions/114270/â¦.
â slmâ¦
Jul 5 at 7:24
Most of the answers are showing that this isn't possible as described, the only solution that looked worthwhile was the serverfault one which suggests using the student/teacher ownership paradigm.
â slmâ¦
Jul 5 at 7:43
1
You could configuressh
to allow you to connect to the NAS, using a public key. It should be possible to configure it to only allow you to deliver files.
â ctrl-alt-delor
Jul 5 at 13:43
@ctrl-alt-delor Thanks, that does sound like a good way to achieve what I want. Do you have any advice or a link on how to achieve that with ssh? I know how to set up ssh access with a key but not how to configure it to only allow delivering files without shell access or access to other folders.
â localhost
Jul 5 at 23:01
1
1
See also superuser.com/questions/646442/â¦
â Nick ODell
Jul 5 at 7:10
See also superuser.com/questions/646442/â¦
â Nick ODell
Jul 5 at 7:10
See also - askubuntu.com/questions/534251/⦠& serverfault.com/questions/114270/â¦.
â slmâ¦
Jul 5 at 7:24
See also - askubuntu.com/questions/534251/⦠& serverfault.com/questions/114270/â¦.
â slmâ¦
Jul 5 at 7:24
Most of the answers are showing that this isn't possible as described, the only solution that looked worthwhile was the serverfault one which suggests using the student/teacher ownership paradigm.
â slmâ¦
Jul 5 at 7:43
Most of the answers are showing that this isn't possible as described, the only solution that looked worthwhile was the serverfault one which suggests using the student/teacher ownership paradigm.
â slmâ¦
Jul 5 at 7:43
1
1
You could configure
ssh
to allow you to connect to the NAS, using a public key. It should be possible to configure it to only allow you to deliver files.â ctrl-alt-delor
Jul 5 at 13:43
You could configure
ssh
to allow you to connect to the NAS, using a public key. It should be possible to configure it to only allow you to deliver files.â ctrl-alt-delor
Jul 5 at 13:43
@ctrl-alt-delor Thanks, that does sound like a good way to achieve what I want. Do you have any advice or a link on how to achieve that with ssh? I know how to set up ssh access with a key but not how to configure it to only allow delivering files without shell access or access to other folders.
â localhost
Jul 5 at 23:01
@ctrl-alt-delor Thanks, that does sound like a good way to achieve what I want. Do you have any advice or a link on how to achieve that with ssh? I know how to set up ssh access with a key but not how to configure it to only allow delivering files without shell access or access to other folders.
â localhost
Jul 5 at 23:01
 |Â
show 2 more comments
1 Answer
1
active
oldest
votes
up vote
1
down vote
Mount points only support disabling write (readonly), but not disabling read. However you may can do most of it with file permissions.
It will not be possible to stop a user from reading her own files, but you can stop her from reading other peoples files.
You will need:
- Sticky bit, to stop users from removing each others files.
- Turn off the read bits of the directory to stop others from reading
- Set a default permission, to turn off the read bits of files to stop others from reading them.
How to
chmod +t "ëthe directoryû"
setfacl -m "u::wx,g::wx,o:-" "ëthe directoryû"
setfacl -m "d:u::-,d:g::-,d:o:-" "ëthe directoryû"
Warnings
This will not be easily used by users, consider giving some extra permissions. Or one directory per user.
I also don't think that this is the way to do backups. Set up a cron job to do backups every day. You may be using backups for revision control, consider using a revision control system. Sub-version (svn), is a good one for must users, and most file types. Mercurial is also good for programmers, and can be used for other file-types, but I would not recommend it for any non-mergeable files (such as MS-Office).
Thanks for the answer, although it's not exactly what I want for my situation. I'm the only user. I have an ubuntu NAS with fulldisk encryption, and I'm trying to back up my own Windows machines to that. I want to have a USB stick that I can boot from to clone the Windows drives to the NAS, but I don't want the whole backup share to be readable by anyone who may come across that USB stick with the share credentials on it. Can you think of a better solution?
â localhost
Jul 5 at 12:40
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
Mount points only support disabling write (readonly), but not disabling read. However you may can do most of it with file permissions.
It will not be possible to stop a user from reading her own files, but you can stop her from reading other peoples files.
You will need:
- Sticky bit, to stop users from removing each others files.
- Turn off the read bits of the directory to stop others from reading
- Set a default permission, to turn off the read bits of files to stop others from reading them.
How to
chmod +t "ëthe directoryû"
setfacl -m "u::wx,g::wx,o:-" "ëthe directoryû"
setfacl -m "d:u::-,d:g::-,d:o:-" "ëthe directoryû"
Warnings
This will not be easily used by users, consider giving some extra permissions. Or one directory per user.
I also don't think that this is the way to do backups. Set up a cron job to do backups every day. You may be using backups for revision control, consider using a revision control system. Sub-version (svn), is a good one for must users, and most file types. Mercurial is also good for programmers, and can be used for other file-types, but I would not recommend it for any non-mergeable files (such as MS-Office).
Thanks for the answer, although it's not exactly what I want for my situation. I'm the only user. I have an ubuntu NAS with fulldisk encryption, and I'm trying to back up my own Windows machines to that. I want to have a USB stick that I can boot from to clone the Windows drives to the NAS, but I don't want the whole backup share to be readable by anyone who may come across that USB stick with the share credentials on it. Can you think of a better solution?
â localhost
Jul 5 at 12:40
add a comment |Â
up vote
1
down vote
Mount points only support disabling write (readonly), but not disabling read. However you may can do most of it with file permissions.
It will not be possible to stop a user from reading her own files, but you can stop her from reading other peoples files.
You will need:
- Sticky bit, to stop users from removing each others files.
- Turn off the read bits of the directory to stop others from reading
- Set a default permission, to turn off the read bits of files to stop others from reading them.
How to
chmod +t "ëthe directoryû"
setfacl -m "u::wx,g::wx,o:-" "ëthe directoryû"
setfacl -m "d:u::-,d:g::-,d:o:-" "ëthe directoryû"
Warnings
This will not be easily used by users, consider giving some extra permissions. Or one directory per user.
I also don't think that this is the way to do backups. Set up a cron job to do backups every day. You may be using backups for revision control, consider using a revision control system. Sub-version (svn), is a good one for must users, and most file types. Mercurial is also good for programmers, and can be used for other file-types, but I would not recommend it for any non-mergeable files (such as MS-Office).
Thanks for the answer, although it's not exactly what I want for my situation. I'm the only user. I have an ubuntu NAS with fulldisk encryption, and I'm trying to back up my own Windows machines to that. I want to have a USB stick that I can boot from to clone the Windows drives to the NAS, but I don't want the whole backup share to be readable by anyone who may come across that USB stick with the share credentials on it. Can you think of a better solution?
â localhost
Jul 5 at 12:40
add a comment |Â
up vote
1
down vote
up vote
1
down vote
Mount points only support disabling write (readonly), but not disabling read. However you may can do most of it with file permissions.
It will not be possible to stop a user from reading her own files, but you can stop her from reading other peoples files.
You will need:
- Sticky bit, to stop users from removing each others files.
- Turn off the read bits of the directory to stop others from reading
- Set a default permission, to turn off the read bits of files to stop others from reading them.
How to
chmod +t "ëthe directoryû"
setfacl -m "u::wx,g::wx,o:-" "ëthe directoryû"
setfacl -m "d:u::-,d:g::-,d:o:-" "ëthe directoryû"
Warnings
This will not be easily used by users, consider giving some extra permissions. Or one directory per user.
I also don't think that this is the way to do backups. Set up a cron job to do backups every day. You may be using backups for revision control, consider using a revision control system. Sub-version (svn), is a good one for must users, and most file types. Mercurial is also good for programmers, and can be used for other file-types, but I would not recommend it for any non-mergeable files (such as MS-Office).
Mount points only support disabling write (readonly), but not disabling read. However you may can do most of it with file permissions.
It will not be possible to stop a user from reading her own files, but you can stop her from reading other peoples files.
You will need:
- Sticky bit, to stop users from removing each others files.
- Turn off the read bits of the directory to stop others from reading
- Set a default permission, to turn off the read bits of files to stop others from reading them.
How to
chmod +t "ëthe directoryû"
setfacl -m "u::wx,g::wx,o:-" "ëthe directoryû"
setfacl -m "d:u::-,d:g::-,d:o:-" "ëthe directoryû"
Warnings
This will not be easily used by users, consider giving some extra permissions. Or one directory per user.
I also don't think that this is the way to do backups. Set up a cron job to do backups every day. You may be using backups for revision control, consider using a revision control system. Sub-version (svn), is a good one for must users, and most file types. Mercurial is also good for programmers, and can be used for other file-types, but I would not recommend it for any non-mergeable files (such as MS-Office).
edited Jul 5 at 11:12
answered Jul 5 at 11:06
ctrl-alt-delor
8,68331947
8,68331947
Thanks for the answer, although it's not exactly what I want for my situation. I'm the only user. I have an ubuntu NAS with fulldisk encryption, and I'm trying to back up my own Windows machines to that. I want to have a USB stick that I can boot from to clone the Windows drives to the NAS, but I don't want the whole backup share to be readable by anyone who may come across that USB stick with the share credentials on it. Can you think of a better solution?
â localhost
Jul 5 at 12:40
add a comment |Â
Thanks for the answer, although it's not exactly what I want for my situation. I'm the only user. I have an ubuntu NAS with fulldisk encryption, and I'm trying to back up my own Windows machines to that. I want to have a USB stick that I can boot from to clone the Windows drives to the NAS, but I don't want the whole backup share to be readable by anyone who may come across that USB stick with the share credentials on it. Can you think of a better solution?
â localhost
Jul 5 at 12:40
Thanks for the answer, although it's not exactly what I want for my situation. I'm the only user. I have an ubuntu NAS with fulldisk encryption, and I'm trying to back up my own Windows machines to that. I want to have a USB stick that I can boot from to clone the Windows drives to the NAS, but I don't want the whole backup share to be readable by anyone who may come across that USB stick with the share credentials on it. Can you think of a better solution?
â localhost
Jul 5 at 12:40
Thanks for the answer, although it's not exactly what I want for my situation. I'm the only user. I have an ubuntu NAS with fulldisk encryption, and I'm trying to back up my own Windows machines to that. I want to have a USB stick that I can boot from to clone the Windows drives to the NAS, but I don't want the whole backup share to be readable by anyone who may come across that USB stick with the share credentials on it. Can you think of a better solution?
â localhost
Jul 5 at 12:40
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f453541%2fcreate-samba-share-with-only-write-and-no-read-permissions%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
1
See also superuser.com/questions/646442/â¦
â Nick ODell
Jul 5 at 7:10
See also - askubuntu.com/questions/534251/⦠& serverfault.com/questions/114270/â¦.
â slmâ¦
Jul 5 at 7:24
Most of the answers are showing that this isn't possible as described, the only solution that looked worthwhile was the serverfault one which suggests using the student/teacher ownership paradigm.
â slmâ¦
Jul 5 at 7:43
1
You could configure
ssh
to allow you to connect to the NAS, using a public key. It should be possible to configure it to only allow you to deliver files.â ctrl-alt-delor
Jul 5 at 13:43
@ctrl-alt-delor Thanks, that does sound like a good way to achieve what I want. Do you have any advice or a link on how to achieve that with ssh? I know how to set up ssh access with a key but not how to configure it to only allow delivering files without shell access or access to other folders.
â localhost
Jul 5 at 23:01