[Gllug] File permissions

Bruce Richardson itsbruce at workshy.org
Wed Jun 30 13:59:50 UTC 2010


On Tue, Jun 29, 2010 at 03:56:56PM +0100, gllug wrote:
> 
> But I digress: the Linux filesystem will not do what you want, not even
> with ACLs.  

I should expand on this, though, James.  ACLs won't do the exact thing
yhou are trying to do (force specific user and group access).  They may,
however, let you achieve the effect you are after.  Are you trying to
force the user and group just to be sure that everybody who is
authorised to access the share can work with all the files created on
it?  Or is there some other reason for wanting the specific user and
group?

If it's the former, you can achieve the same by setting a default acl on
the top level directory.  If all the users who should have access to the
location are in the "staff" group and you want this group to have
read/write acces by default, then you could set up the ACLs for the
directory something like this:

	user::rwx
	group::rwx
	mask::rwx
	other::---
	default:user::rwx
	default:group::rwx
	default:group:staff:rwx
	default:mask::rwx
	default:other::---

This also requires the top level directory to be owned by the group and
have a mode of at least 0770; if this isn't the case, then you should
add 

        group:staff:rwx


That will achieve what you want because of the default ACLs, which are
inherited, and doesn't require any SGID bits set anywhere.  It does
leave open the possibility of somebody setting more restrictive
permissions, having created a file; if you don't want that then you
really do have to restrict access to samba only, so that you can force
the file mode as well.

-- 
Bruce

The ice-caps are melting, tra-la-la-la.  All the world is drowning,
tra-la-la-la-la.  -- Tiny Tim.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20100630/e71852fd/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug


More information about the GLLUG mailing list