[Gllug] Getting required read / write / access permissions

Bruce Richardson itsbruce at workshy.org
Wed Apr 6 10:42:46 UTC 2011

On Wed, Apr 06, 2011 at 11:04:34AM +0100, Chris Bell wrote:
> > > a directory
> > > with full recursive R/W access to all files to all, but only all, on a
> > > restricted list, plus a directory with full recursive R/W access to all
> > > listed users.
> > 
> > Are these to be separate shares or two directories on the same share?
>    They were created as two separate groups, each associated with its own
> single directory in /home

Groups?  Do you mean samba shares?  Confusing terminology.  We're
talking in detail about filesystem access here, so referring to shares
as groups isn't going to help.  If you *do* mean groups, then I think
you need to explain in more detail.

> > > Some users also need access from their normal computers via
> > > OpenVPN. 
> > 
> > That doesn't make much sense.  OpenVPN gives people access to a network,
> > not to a computer's files.  How are the OpenVPN users going to be
> > accessing the files after they have gained access to the network via
> > OpenVPN?
>    Yes, they access the network and then logon to the server.

Via samba or ssh or what?  *That* is what is relevant, since if some
people are accessing the filesystem via a shell login or some other
non-samba method, they can mess with the files in a way that Samba can't
override (in which case, POSIX acls would be better).

> > 
> > I think you need to read up on Unix file permissions and then re-read
> > the chmod man page.
> > 
> > http://www.zzee.com/solutions/unix-permissions.shtml
>    It looks as if I should set the /etc/samba/smb.conf permissions to 2770
> instead of 770 for the shared directories, I will try that when I have access.

If the only way people can access the filesystem is via samba, then you
don't need the SGID bit (that initial 2 in the 2770).  All you have to
do in the share config within smb.conf is force group ownership of all
created files to the desired group and force file/directory creation to
allow write access.  Something like this:

	force create mode = 060
	force directory mode = 070
	force group = *your group name nere*

If people do access the filesystem by other means (e.g. ftp, shell
accounts, nfs) then adding the SGID bit (force directory mode = 2070)
will appear to fix your problem but it will actually be fragile.  The
reason it will be fragile is because people will be able to create
directories which do not have SGID set or create files which aren't
group writeable (or group readable).  As soon as they create directories
without SGID set, the chain is broken.  

So if you do have people accessing the filesystem by means other than
Samba, POSIX acls are less fragile.  You can set a default acl on your
top level directory and it will be inherited by all files and
directories created within it, no matter what is set as the owning user
or group.  It's less fragile because most Unix applications (and, to be
honest, most users) are not acl-aware and so don't mess with them.


It is impolite to tell a man who is carrying you on his shoulders that
his head smells.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20110406/8d8af453/attachment.pgp>
-------------- next part --------------
Gllug mailing list  -  Gllug at gllug.org.uk

More information about the GLLUG mailing list