This answer works on Debian (tested on lenny and squeeze). After investigation, it seems to work only thanks to a Debian patch; users of other distributions such as Ubuntu may be out of luck.
You can use mount --bind. Mount the “real” filesystem under a directory that's not publicly accessible. Make a read-only bind mount that's more widely accessible. Make a read-write bind mount for the part you want to expose with read-write access.
mkdir /media/hidden /media/hidden/sdz99 chmod 700 /media/hidden mount /dev/sdz99 /media/hidden/sdz99 mount -o bind,ro /media/hidden/sdz99/world-readable /media/world-readable mount -o bind /media/hidden/sdz99/world-writable /media/world-writable In your use case, I think you can do:
mkdir /var/smb/hidden mv /var/smb/snapshot /var/smb/hidden mkdir /var/smb/snapshot chmod 700 /var/smb/hidden chmod 755 /var/smb/hidden/snapshot mount -o bind,ro /var/smb/hidden/snapshot /var/smb/hidden/snapshot I.e. put the real snapshot directory under a restricted directory, but give snapshot read permissions for everyone. It won't be directly accessible because its parent has restricted access. Bind-mount it read-only in an accessible location, so that everyone can read it through that path.
(Read-only bind mounts only became possible several years after bind mounts were introduced, so you might remember a time when they didn't work. I don't know offhand since when they work, but they already worked in Debian lenny (i.e. now oldstable).)