Permissions for NC samba shares

When I enable samba shares using NCP, I get two volumes – one is the NC root folder for the user specified in the NCP web dialog, and another is the home directory for the login (i.e., the “pi” user). Permissions seem a little off; I can read but not write to the main volume (/home/pi), and I can only write to the NC root folder – all the subfolders are read-only. Having samba shares available in the OS X Finder is awesome, but the restrictive permissions really limit its usefulness.

I kinda doubt this is an NCP issue, but I’m wondering if ncp-web has access to the SMB permissions configuration when it enables samba shares. If it isn’t, can anyone tell me how to tweak the permissions during sharing? I took a look at the main NC documentation, but didn’t see much in the way of detail there about samba permissions.

That is as it should be in a linux system. /home/pi is owned and rwx (read+write+executable) to user pi only.
Technically you could make www-data member of the pi group and give write permissions to the group, or even make it owner. But unless your system is single user and running in LAN only, (no access from outside) that is something I’d really want to avoid. Probably best to edit the smb.conf and create a smb password for access to the samba share with write permission. I always make a copy of my smb.conf before making any changes to it !

1 Like

What you’re saying makes perfect sense, but in this case I’m authenticating as user pi, so shouldn’t I expect to be given the keys to the castle (as it were)?

It’s also still not clear to me why I should be able to write to the root level of my NC folder, but not any subfolder. From an NC user perspective, my home directory is no different than any of my subfolders.

Hi @donutlover, I’ve been away for a few days

Regarding the home folder… I think that the share should be removed from NCP, it comes from the default smb.conf but I don’t think it makes sense.

Regarding not being able to write in subfolders… Last time I checked I was able to, how are you mounting the SMB share? Windows? Linux?

Hi @nachoparker, my turn to apologize for a late reply – I’ve been on the road off and on for the past few weeks, with limited time to come back to my NCP issues.

I’ve thought quite a bit about the home folder share, and I have to reluctantly agree with you that the share should probably be removed from NCP. I almost hate to say it, because it works soooo well, and it’s enormously convenient to have access to the pi home folder in the mac Finder. But you’re right, it’s a bit of conceptual overreach for NCP’s mission.

As to your question about how I’m mounting SMB, it’s through the OS X Finder (I’ve recently upgraded to macOS 10.13, but the same situation was there in 10.9.5). After digging into the issue a bit, I see that this permissions scheme matches what’s on my Nextcloud storage: my “files” directory has 775 permissions, while all the subdirectories are set up with 755. I certainly haven’t messed with these settings at all, so I’ve been assuming that these are the defaults that NC creates in the data directory. But you say that you’ve been able to write to subfolders, so now I’m wondering if there’s anything anomalous happening on my pi.

So it appears to me that NCP’s SMB enabling is just mirroring the permissions that are already there; is this something that can (or should) be tweaked by NCP? It would be awfully handy to have write access to my subfolders when they’re mounted on my desktop. :slight_smile:

Gaaaaaaaa…shortly after I posted that, I see that you’ve made about 150 releases to NCP since I’ve last updated. I’ll have to see what’s new there…sorry in advance if this is rehashing obsolete issues.

xD it’s ok

I disabled the home share in newer releases, but anyone can easily bring it back by editing smb.conf

For the permissions… someone would have to help you with this. I don’t have mac, I can only say that it works in linux.

Hmm. I’ve just updated to the latest NCP, but my home directory is still showing up as a share.

of course, that’s for new images. I won’t disable a share that a user might already be using :wink: