Create samba share with only write and no read permissions

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












Use case



I'm the only user. I have an ubuntu NAS with fulldisk encryption, and I'm trying to back up my own Windows machines to that. I want to have a USB stick that I can boot from to clone the Windows drives to the NAS, but I don't want the whole backup share to be readable by anyone who may come across that USB stick with the share credentials on it. Can you think of a better solution?



What I was thinking could work



I've been searching but unable to find what I need, everything I have found is about simply enabling write access to a share, which is not what I want to do.



I would like to create a samba share on my ubuntu machine where users have only write permissions. I would like them to be able to create files but not be able to read them, nor list folders inside the share.



This is for the purpose of backup. I want to have a bootable usb drive that I can boot from that will take disk images of the drives in that machine and save to the samba share, but I don't want that usb to have access to all the images.



I'm happy if it just fails if a file already exists, I will ensure the filenames do not conflict by using drive UUIDs/time.







share|improve this question

















  • 1




    See also superuser.com/questions/646442/…
    – Nick ODell
    Jul 5 at 7:10










  • See also - askubuntu.com/questions/534251/… & serverfault.com/questions/114270/….
    – slm♦
    Jul 5 at 7:24











  • Most of the answers are showing that this isn't possible as described, the only solution that looked worthwhile was the serverfault one which suggests using the student/teacher ownership paradigm.
    – slm♦
    Jul 5 at 7:43






  • 1




    You could configure ssh to allow you to connect to the NAS, using a public key. It should be possible to configure it to only allow you to deliver files.
    – ctrl-alt-delor
    Jul 5 at 13:43










  • @ctrl-alt-delor Thanks, that does sound like a good way to achieve what I want. Do you have any advice or a link on how to achieve that with ssh? I know how to set up ssh access with a key but not how to configure it to only allow delivering files without shell access or access to other folders.
    – localhost
    Jul 5 at 23:01














up vote
0
down vote

favorite












Use case



I'm the only user. I have an ubuntu NAS with fulldisk encryption, and I'm trying to back up my own Windows machines to that. I want to have a USB stick that I can boot from to clone the Windows drives to the NAS, but I don't want the whole backup share to be readable by anyone who may come across that USB stick with the share credentials on it. Can you think of a better solution?



What I was thinking could work



I've been searching but unable to find what I need, everything I have found is about simply enabling write access to a share, which is not what I want to do.



I would like to create a samba share on my ubuntu machine where users have only write permissions. I would like them to be able to create files but not be able to read them, nor list folders inside the share.



This is for the purpose of backup. I want to have a bootable usb drive that I can boot from that will take disk images of the drives in that machine and save to the samba share, but I don't want that usb to have access to all the images.



I'm happy if it just fails if a file already exists, I will ensure the filenames do not conflict by using drive UUIDs/time.







share|improve this question

















  • 1




    See also superuser.com/questions/646442/…
    – Nick ODell
    Jul 5 at 7:10










  • See also - askubuntu.com/questions/534251/… & serverfault.com/questions/114270/….
    – slm♦
    Jul 5 at 7:24











  • Most of the answers are showing that this isn't possible as described, the only solution that looked worthwhile was the serverfault one which suggests using the student/teacher ownership paradigm.
    – slm♦
    Jul 5 at 7:43






  • 1




    You could configure ssh to allow you to connect to the NAS, using a public key. It should be possible to configure it to only allow you to deliver files.
    – ctrl-alt-delor
    Jul 5 at 13:43










  • @ctrl-alt-delor Thanks, that does sound like a good way to achieve what I want. Do you have any advice or a link on how to achieve that with ssh? I know how to set up ssh access with a key but not how to configure it to only allow delivering files without shell access or access to other folders.
    – localhost
    Jul 5 at 23:01












up vote
0
down vote

favorite









up vote
0
down vote

favorite











Use case



I'm the only user. I have an ubuntu NAS with fulldisk encryption, and I'm trying to back up my own Windows machines to that. I want to have a USB stick that I can boot from to clone the Windows drives to the NAS, but I don't want the whole backup share to be readable by anyone who may come across that USB stick with the share credentials on it. Can you think of a better solution?



What I was thinking could work



I've been searching but unable to find what I need, everything I have found is about simply enabling write access to a share, which is not what I want to do.



I would like to create a samba share on my ubuntu machine where users have only write permissions. I would like them to be able to create files but not be able to read them, nor list folders inside the share.



This is for the purpose of backup. I want to have a bootable usb drive that I can boot from that will take disk images of the drives in that machine and save to the samba share, but I don't want that usb to have access to all the images.



I'm happy if it just fails if a file already exists, I will ensure the filenames do not conflict by using drive UUIDs/time.







share|improve this question













Use case



I'm the only user. I have an ubuntu NAS with fulldisk encryption, and I'm trying to back up my own Windows machines to that. I want to have a USB stick that I can boot from to clone the Windows drives to the NAS, but I don't want the whole backup share to be readable by anyone who may come across that USB stick with the share credentials on it. Can you think of a better solution?



What I was thinking could work



I've been searching but unable to find what I need, everything I have found is about simply enabling write access to a share, which is not what I want to do.



I would like to create a samba share on my ubuntu machine where users have only write permissions. I would like them to be able to create files but not be able to read them, nor list folders inside the share.



This is for the purpose of backup. I want to have a bootable usb drive that I can boot from that will take disk images of the drives in that machine and save to the samba share, but I don't want that usb to have access to all the images.



I'm happy if it just fails if a file already exists, I will ensure the filenames do not conflict by using drive UUIDs/time.









share|improve this question












share|improve this question




share|improve this question








edited Jul 5 at 13:38









ctrl-alt-delor

8,68331947




8,68331947









asked Jul 5 at 6:51









localhost

1243




1243







  • 1




    See also superuser.com/questions/646442/…
    – Nick ODell
    Jul 5 at 7:10










  • See also - askubuntu.com/questions/534251/… & serverfault.com/questions/114270/….
    – slm♦
    Jul 5 at 7:24











  • Most of the answers are showing that this isn't possible as described, the only solution that looked worthwhile was the serverfault one which suggests using the student/teacher ownership paradigm.
    – slm♦
    Jul 5 at 7:43






  • 1




    You could configure ssh to allow you to connect to the NAS, using a public key. It should be possible to configure it to only allow you to deliver files.
    – ctrl-alt-delor
    Jul 5 at 13:43










  • @ctrl-alt-delor Thanks, that does sound like a good way to achieve what I want. Do you have any advice or a link on how to achieve that with ssh? I know how to set up ssh access with a key but not how to configure it to only allow delivering files without shell access or access to other folders.
    – localhost
    Jul 5 at 23:01












  • 1




    See also superuser.com/questions/646442/…
    – Nick ODell
    Jul 5 at 7:10










  • See also - askubuntu.com/questions/534251/… & serverfault.com/questions/114270/….
    – slm♦
    Jul 5 at 7:24











  • Most of the answers are showing that this isn't possible as described, the only solution that looked worthwhile was the serverfault one which suggests using the student/teacher ownership paradigm.
    – slm♦
    Jul 5 at 7:43






  • 1




    You could configure ssh to allow you to connect to the NAS, using a public key. It should be possible to configure it to only allow you to deliver files.
    – ctrl-alt-delor
    Jul 5 at 13:43










  • @ctrl-alt-delor Thanks, that does sound like a good way to achieve what I want. Do you have any advice or a link on how to achieve that with ssh? I know how to set up ssh access with a key but not how to configure it to only allow delivering files without shell access or access to other folders.
    – localhost
    Jul 5 at 23:01







1




1




See also superuser.com/questions/646442/…
– Nick ODell
Jul 5 at 7:10




See also superuser.com/questions/646442/…
– Nick ODell
Jul 5 at 7:10












See also - askubuntu.com/questions/534251/… & serverfault.com/questions/114270/….
– slm♦
Jul 5 at 7:24





See also - askubuntu.com/questions/534251/… & serverfault.com/questions/114270/….
– slm♦
Jul 5 at 7:24













Most of the answers are showing that this isn't possible as described, the only solution that looked worthwhile was the serverfault one which suggests using the student/teacher ownership paradigm.
– slm♦
Jul 5 at 7:43




Most of the answers are showing that this isn't possible as described, the only solution that looked worthwhile was the serverfault one which suggests using the student/teacher ownership paradigm.
– slm♦
Jul 5 at 7:43




1




1




You could configure ssh to allow you to connect to the NAS, using a public key. It should be possible to configure it to only allow you to deliver files.
– ctrl-alt-delor
Jul 5 at 13:43




You could configure ssh to allow you to connect to the NAS, using a public key. It should be possible to configure it to only allow you to deliver files.
– ctrl-alt-delor
Jul 5 at 13:43












@ctrl-alt-delor Thanks, that does sound like a good way to achieve what I want. Do you have any advice or a link on how to achieve that with ssh? I know how to set up ssh access with a key but not how to configure it to only allow delivering files without shell access or access to other folders.
– localhost
Jul 5 at 23:01




@ctrl-alt-delor Thanks, that does sound like a good way to achieve what I want. Do you have any advice or a link on how to achieve that with ssh? I know how to set up ssh access with a key but not how to configure it to only allow delivering files without shell access or access to other folders.
– localhost
Jul 5 at 23:01










1 Answer
1






active

oldest

votes

















up vote
1
down vote













Mount points only support disabling write (readonly), but not disabling read. However you may can do most of it with file permissions.
It will not be possible to stop a user from reading her own files, but you can stop her from reading other peoples files.



You will need:



  • Sticky bit, to stop users from removing each others files.

  • Turn off the read bits of the directory to stop others from reading

  • Set a default permission, to turn off the read bits of files to stop others from reading them.

How to



 chmod +t "«the directory»"
setfacl -m "u::wx,g::wx,o:-" "«the directory»"
setfacl -m "d:u::-,d:g::-,d:o:-" "«the directory»"


Warnings



This will not be easily used by users, consider giving some extra permissions. Or one directory per user.



I also don't think that this is the way to do backups. Set up a cron job to do backups every day. You may be using backups for revision control, consider using a revision control system. Sub-version (svn), is a good one for must users, and most file types. Mercurial is also good for programmers, and can be used for other file-types, but I would not recommend it for any non-mergeable files (such as MS-Office).






share|improve this answer























  • Thanks for the answer, although it's not exactly what I want for my situation. I'm the only user. I have an ubuntu NAS with fulldisk encryption, and I'm trying to back up my own Windows machines to that. I want to have a USB stick that I can boot from to clone the Windows drives to the NAS, but I don't want the whole backup share to be readable by anyone who may come across that USB stick with the share credentials on it. Can you think of a better solution?
    – localhost
    Jul 5 at 12:40











Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);








 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f453541%2fcreate-samba-share-with-only-write-and-no-read-permissions%23new-answer', 'question_page');

);

Post as a guest






























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
1
down vote













Mount points only support disabling write (readonly), but not disabling read. However you may can do most of it with file permissions.
It will not be possible to stop a user from reading her own files, but you can stop her from reading other peoples files.



You will need:



  • Sticky bit, to stop users from removing each others files.

  • Turn off the read bits of the directory to stop others from reading

  • Set a default permission, to turn off the read bits of files to stop others from reading them.

How to



 chmod +t "«the directory»"
setfacl -m "u::wx,g::wx,o:-" "«the directory»"
setfacl -m "d:u::-,d:g::-,d:o:-" "«the directory»"


Warnings



This will not be easily used by users, consider giving some extra permissions. Or one directory per user.



I also don't think that this is the way to do backups. Set up a cron job to do backups every day. You may be using backups for revision control, consider using a revision control system. Sub-version (svn), is a good one for must users, and most file types. Mercurial is also good for programmers, and can be used for other file-types, but I would not recommend it for any non-mergeable files (such as MS-Office).






share|improve this answer























  • Thanks for the answer, although it's not exactly what I want for my situation. I'm the only user. I have an ubuntu NAS with fulldisk encryption, and I'm trying to back up my own Windows machines to that. I want to have a USB stick that I can boot from to clone the Windows drives to the NAS, but I don't want the whole backup share to be readable by anyone who may come across that USB stick with the share credentials on it. Can you think of a better solution?
    – localhost
    Jul 5 at 12:40















up vote
1
down vote













Mount points only support disabling write (readonly), but not disabling read. However you may can do most of it with file permissions.
It will not be possible to stop a user from reading her own files, but you can stop her from reading other peoples files.



You will need:



  • Sticky bit, to stop users from removing each others files.

  • Turn off the read bits of the directory to stop others from reading

  • Set a default permission, to turn off the read bits of files to stop others from reading them.

How to



 chmod +t "«the directory»"
setfacl -m "u::wx,g::wx,o:-" "«the directory»"
setfacl -m "d:u::-,d:g::-,d:o:-" "«the directory»"


Warnings



This will not be easily used by users, consider giving some extra permissions. Or one directory per user.



I also don't think that this is the way to do backups. Set up a cron job to do backups every day. You may be using backups for revision control, consider using a revision control system. Sub-version (svn), is a good one for must users, and most file types. Mercurial is also good for programmers, and can be used for other file-types, but I would not recommend it for any non-mergeable files (such as MS-Office).






share|improve this answer























  • Thanks for the answer, although it's not exactly what I want for my situation. I'm the only user. I have an ubuntu NAS with fulldisk encryption, and I'm trying to back up my own Windows machines to that. I want to have a USB stick that I can boot from to clone the Windows drives to the NAS, but I don't want the whole backup share to be readable by anyone who may come across that USB stick with the share credentials on it. Can you think of a better solution?
    – localhost
    Jul 5 at 12:40













up vote
1
down vote










up vote
1
down vote









Mount points only support disabling write (readonly), but not disabling read. However you may can do most of it with file permissions.
It will not be possible to stop a user from reading her own files, but you can stop her from reading other peoples files.



You will need:



  • Sticky bit, to stop users from removing each others files.

  • Turn off the read bits of the directory to stop others from reading

  • Set a default permission, to turn off the read bits of files to stop others from reading them.

How to



 chmod +t "«the directory»"
setfacl -m "u::wx,g::wx,o:-" "«the directory»"
setfacl -m "d:u::-,d:g::-,d:o:-" "«the directory»"


Warnings



This will not be easily used by users, consider giving some extra permissions. Or one directory per user.



I also don't think that this is the way to do backups. Set up a cron job to do backups every day. You may be using backups for revision control, consider using a revision control system. Sub-version (svn), is a good one for must users, and most file types. Mercurial is also good for programmers, and can be used for other file-types, but I would not recommend it for any non-mergeable files (such as MS-Office).






share|improve this answer















Mount points only support disabling write (readonly), but not disabling read. However you may can do most of it with file permissions.
It will not be possible to stop a user from reading her own files, but you can stop her from reading other peoples files.



You will need:



  • Sticky bit, to stop users from removing each others files.

  • Turn off the read bits of the directory to stop others from reading

  • Set a default permission, to turn off the read bits of files to stop others from reading them.

How to



 chmod +t "«the directory»"
setfacl -m "u::wx,g::wx,o:-" "«the directory»"
setfacl -m "d:u::-,d:g::-,d:o:-" "«the directory»"


Warnings



This will not be easily used by users, consider giving some extra permissions. Or one directory per user.



I also don't think that this is the way to do backups. Set up a cron job to do backups every day. You may be using backups for revision control, consider using a revision control system. Sub-version (svn), is a good one for must users, and most file types. Mercurial is also good for programmers, and can be used for other file-types, but I would not recommend it for any non-mergeable files (such as MS-Office).







share|improve this answer















share|improve this answer



share|improve this answer








edited Jul 5 at 11:12


























answered Jul 5 at 11:06









ctrl-alt-delor

8,68331947




8,68331947











  • Thanks for the answer, although it's not exactly what I want for my situation. I'm the only user. I have an ubuntu NAS with fulldisk encryption, and I'm trying to back up my own Windows machines to that. I want to have a USB stick that I can boot from to clone the Windows drives to the NAS, but I don't want the whole backup share to be readable by anyone who may come across that USB stick with the share credentials on it. Can you think of a better solution?
    – localhost
    Jul 5 at 12:40

















  • Thanks for the answer, although it's not exactly what I want for my situation. I'm the only user. I have an ubuntu NAS with fulldisk encryption, and I'm trying to back up my own Windows machines to that. I want to have a USB stick that I can boot from to clone the Windows drives to the NAS, but I don't want the whole backup share to be readable by anyone who may come across that USB stick with the share credentials on it. Can you think of a better solution?
    – localhost
    Jul 5 at 12:40
















Thanks for the answer, although it's not exactly what I want for my situation. I'm the only user. I have an ubuntu NAS with fulldisk encryption, and I'm trying to back up my own Windows machines to that. I want to have a USB stick that I can boot from to clone the Windows drives to the NAS, but I don't want the whole backup share to be readable by anyone who may come across that USB stick with the share credentials on it. Can you think of a better solution?
– localhost
Jul 5 at 12:40





Thanks for the answer, although it's not exactly what I want for my situation. I'm the only user. I have an ubuntu NAS with fulldisk encryption, and I'm trying to back up my own Windows machines to that. I want to have a USB stick that I can boot from to clone the Windows drives to the NAS, but I don't want the whole backup share to be readable by anyone who may come across that USB stick with the share credentials on it. Can you think of a better solution?
– localhost
Jul 5 at 12:40













 

draft saved


draft discarded


























 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f453541%2fcreate-samba-share-with-only-write-and-no-read-permissions%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?