[Gllug] Getting required read / write / access permissions
Chris Bell
chrisbell at chrisbell.org.uk
Wed Apr 6 13:30:27 UTC 2011
On Wed 06 Apr, Bruce Richardson wrote:
> On Wed, Apr 06, 2011 at 11:04:34AM +0100, Chris Bell wrote:
> > > > a directory
> > > > with full recursive R/W access to all files to all, but only all, on a
> > > > restricted list, plus a directory with full recursive R/W access to all
> > > > listed users.
> > >
> > > Are these to be separate shares or two directories on the same share?
> >
> > They were created as two separate groups, each associated with its own
> > single directory in /home
>
> Groups? Do you mean samba shares? Confusing terminology. We're
> talking in detail about filesystem access here, so referring to shares
> as groups isn't going to help. If you *do* mean groups, then I think
> you need to explain in more detail.
I created two groups in Linux, two corresponding directories in /home,
and two shares with the same names in Samba. All users access the Linux box
via Samba, which has separate rules for each personal and shared directory.
Access via OpenVPN/Zerina installed on an IPCop box is also done using
Samba. Users can log into all directories, but some new files in the shared
directories are mounted read only. I hoped that it will sort itself out when
I reconfigure /etc/samba/smb.conf for 2770 instead of 770.
> >
> > It looks as if I should set the /etc/samba/smb.conf permissions to 2770
> > instead of 770 for the shared directories, I will try that when I have
> > access.
>
> If the only way people can access the filesystem is via samba, then you
> don't need the SGID bit (that initial 2 in the 2770). All you have to
> do in the share config within smb.conf is force group ownership of all
> created files to the desired group and force file/directory creation to
> allow write access. Something like this:
>
> force create mode = 060
> force directory mode = 070
> force group = *your group name here*
>
> If people do access the filesystem by other means (e.g. ftp, shell
> accounts, nfs) then adding the SGID bit (force directory mode = 2070)
> will appear to fix your problem but it will actually be fragile. The
> reason it will be fragile is because people will be able to create
> directories which do not have SGID set or create files which aren't
> group writeable (or group readable). As soon as they create directories
> without SGID set, the chain is broken.
Users are creating multiple sub-directories, but only through Samba at
present. That might change if they become convinced that they should abandon
M$.
>
> So if you do have people accessing the filesystem by means other than
> Samba, POSIX acls are less fragile. You can set a default acl on your
> top level directory and it will be inherited by all files and
> directories created within it, no matter what is set as the owning user
> or group. It's less fragile because most Unix applications (and, to be
> honest, most users) are not acl-aware and so don't mess with them.
>
> --
> Bruce
>
Thanks, will do.
--
Chris Bell www.chrisbell.org.uk (was www.overview.demon.co.uk)
Microsoft sells you Windows ... Linux gives you the whole house.
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list