[Gllug] Getting required read / write / access permissions

Chris Bell chrisbell at chrisbell.org.uk
Wed Apr 6 13:30:27 UTC 2011

On Wed 06 Apr, Bruce Richardson wrote:
> On Wed, Apr 06, 2011 at 11:04:34AM +0100, Chris Bell wrote:
> > > > a directory
> > > > with full recursive R/W access to all files to all, but only all, on a
> > > > restricted list, plus a directory with full recursive R/W access to all
> > > > listed users.
> > > 
> > > Are these to be separate shares or two directories on the same share?
> > 
> >    They were created as two separate groups, each associated with its own
> > single directory in /home
> Groups?  Do you mean samba shares?  Confusing terminology.  We're
> talking in detail about filesystem access here, so referring to shares
> as groups isn't going to help.  If you *do* mean groups, then I think
> you need to explain in more detail.

   I created two groups in Linux, two corresponding directories in /home,
and two shares with the same names in Samba. All users access the Linux box
via Samba, which has separate rules for each personal and shared directory.
   Access via OpenVPN/Zerina installed on an IPCop box is also done using
Samba. Users can log into all directories, but some new files in the shared
directories are mounted read only. I hoped that it will sort itself out when
I reconfigure /etc/samba/smb.conf for 2770 instead of 770.

> > 
> >    It looks as if I should set the /etc/samba/smb.conf permissions to 2770
> > instead of 770 for the shared directories, I will try that when I have
> > access.
> If the only way people can access the filesystem is via samba, then you
> don't need the SGID bit (that initial 2 in the 2770).  All you have to
> do in the share config within smb.conf is force group ownership of all
> created files to the desired group and force file/directory creation to
> allow write access.  Something like this:
> 	force create mode = 060
> 	force directory mode = 070
> 	force group = *your group name here*
> If people do access the filesystem by other means (e.g. ftp, shell
> accounts, nfs) then adding the SGID bit (force directory mode = 2070)
> will appear to fix your problem but it will actually be fragile.  The
> reason it will be fragile is because people will be able to create
> directories which do not have SGID set or create files which aren't
> group writeable (or group readable).  As soon as they create directories
> without SGID set, the chain is broken.  

   Users are creating multiple sub-directories, but only through Samba at
present. That might change if they become convinced that they should abandon

> So if you do have people accessing the filesystem by means other than
> Samba, POSIX acls are less fragile.  You can set a default acl on your
> top level directory and it will be inherited by all files and
> directories created within it, no matter what is set as the owning user
> or group.  It's less fragile because most Unix applications (and, to be
> honest, most users) are not acl-aware and so don't mess with them.
> -- 
> Bruce

   Thanks, will do.

Chris Bell www.chrisbell.org.uk (was www.overview.demon.co.uk)
Microsoft sells you Windows ... Linux gives you the whole house.

Gllug mailing list  -  Gllug at gllug.org.uk

More information about the GLLUG mailing list