Using the worm VFS Module
- Samba vfs_worm module that is shipped with the Samba sources (Currently only available in samba-master, but will be official available in the upcoming releases)
What is the Samba vfs_worm module and what it isn't
The Samba vfs_worm module is an additional layer on top of a Samba share, that provides a basic set of WORM functionality on the client side, to control the writeability of files and folders.
As the module is simply an additional layer, share access and permissions work like expected, only WORM functionality is added above. Removing the module from the share configuration, removes this layer again. The filesystem ACLs are not affected in any way from the module and treated as usual.
The module does not provide complete WORM functions, like some archiving products do! It is not audit-proof, because the WORM function is only available on the client side, when accessing a share through SMB! If the same folder is shared by other services like NFS, the access only depents on the underlaying filesystem ACLs. Equally if you access the content directly on the server.
The vfs_module allows through a configuration option (grace_period), to pause turning a file or directory read-only for a defined time. The grace period is based on the change time (ctime) of files/folders.
This allows users to store content on a share and do modifications for a while. If the last change is longer ago than the configured grace period, the module prevents write access on the content and attributes.
It should always be considered to define a grace period, as it can cause confusion for users. E. g. if a new text file is created on a share, it automatically turns-read only. A second write, like for saving the content in the file, will be denied.
After you have setup a file share, you only need to add the following lines to the share section:
vfs objects = worm worm:grace_period = 86400 # 1 day
The grace period should be adjusted to your needs. If you skip the parameter, then content automatically turns read-only when placing content on a share.
After reloading Samba, WORM is enabled on the whole share.
Often it is not useful, to turn a whole share to WORM. Typically you have the requirement to provide this feature only on one or some subfolders. This can be done through a trick: You link WORM enabled shares via DFS to the place you want to provide this feature:
- Enable DFS on an existing share, where you want to have a subfolder to be WORM enabled:
[demo] ... msdfs root = yes
- Remember that changing the „msdfs root“ parameter on a share, will require to clear the DFS cache on Windows (e. g. by rebooting)!
- Create a new share that has WORM enabled, like above-noted described.
- Optional: Set the new WORM share hidden, by adding the following parameter to the share section:
browseable = no
- Reload Samba.
- Link the WORM share via DFS to the origin share, that should contain the WORM enabled subfolder:
cd /srv/samba/demo/ ln -s msdfs:servername\\worm-share-name MY-WORM-SUBFOLDER
If you want to have multiple subfolders on a share to be WORM enabled, simply repeat these steps for everyone.
- The WORM function also concerns ACLs of files and folders. You can't change permissions on files/folders from a client, if the grace period has passed, of course! If you require do change ACLs, you have to temporary disable the vfs_worm module or do the changes directly on the server.