[Samba] ACL: need additional samba option ?

Pierre Dehaen dehaen at milano.drever.be
Mon Aug 26 02:06:00 GMT 2002 

Thanks Oliver,

Your solution looks great ! I'm currently testing it. One thing I already noted -
although not a problem here- is that a file/directory created in the share will 
show, respectively, r--/r-x as rights for "other" instead of "---".

My only concern left is about finding a way to let, by default, only the owner of 
a file update it. If user1 and user2 have the right (acl) to create a file in a 
directory, they can also update each other's file. I cannot set the default acl 
entries on the directory to r-x because of they need rwx on subdirectories 
they create.

To summaries my point: I think the concept of "default" acl entries is bad, we 
should have the possibility to create "defaultfile:..." and "defaultdir:..." entries ! 
It could be possible to circumvent that problem with some new samba 
options.

Thanks again,
Pierre


On 20 Aug 2002 at 10:01, Oliver Thinnes wrote:

> Hi.
> 
> I had the same problem but I needed ACLs for groups.
> 
> Setting the rights of 'normal' UNIX group to '---' caused the effective 
> access rights of the ACL groups to be set to '---'.
> 
> Therefore I set the right of the top directory to
> chown root:root DIR
> chmod 2770 DIR (sticky bit for group)
> 
> Newly created directories belong the group 'root' and not the group the 
> user that is connected to the share. Don't use 'force group = root' as the 
> users then connect to the share with group = root.
> 
> I don't use 'inherit permissions = yes' as the UNIX bits are responsible 
> for archive bit / readonly bit. And everytime you save an existing file the 
> permissions are updated.
> 
> I use default ACL entries to inherit the needed permissions and don't want 
> samba to change the permissions.
> 
> I agree with you that there's improved support for ACLs needed.
> 
> Quota checks UNIX user, group and other. Not entries in ACLs.
> 
> -----Original Message-----
> From:	Pierre Dehaen [SMTP:dehaen at milano.drever.be]
> Sent:	Tuesday, August 13, 2002 6:16 PM
> To:	samba at lists.samba.org
> Subject:	[Samba] ACL: need additional samba option ?
> 
> Hi All,
> 
> I need to setup the following rights behavior trhough samba and I'm 
> currently
> stuck after lots of unsuccessful tests. Maybe one of you has an idea or a
> solution to this problem...
> 
> Here it comes:
> 
> - A share must be available only to some users belonging to the "project"
> group.
> 
> That's easy:
>    valid users = @project
> 
> - There are several administrator-created directories in the share
> corresponding to the departments of the company. Only some users must
> have access to each directory, in read only mode for some, in read/write
> mode for others.
> 
> We cannot use the unix groups because of the limitation saying a user may
> only be member of 15 (or 16 I don't remember) groups. So I started playing
> with ACLs: each user with read or read/write access has an ACL on those
> top directories and a default entry also (default:user:john:r-x for 
> instance).
> The mask and default mask (ACL) are set to rwx.
> 
> - Under these top directories, read only users must be able to read all 
> files,
> and read/write users must be able to create files and subdirectories. When 
> a
> file/sdir is created by a user, only that user should be able to modify or 
> delete
> the file/sdir unless additional rights are given by him/her through the 
> windows
> permissions.
> 
> 
> 
> The solution now:
> 
> - I created acls on the top directories, including default entries:
> # ls -ld topdir
>    drwx------+  7 root  other     512   Aug 13 16:00  topdir/
> # getfacl topdir
>    # file: topdir
>    # owner: peter
>    # group: noaccess
>    user::rwx
>    user:john:rwx
>    user:johnny:rwx
>    user:jack:r-x
>    group::---
>    mask:rwx
>    other:---
>    [and the same entries with default: as prefix]
> 
> Note that I set the group to "noaccess" to make sure it will not interfere 
> with
> the user specific rights.
> 
> - I set the following options on the samba share:
>    read only = no
>    inherit permissions = yes
>    inherit acls = yes
>    force group = noaccess
> 
> Note that default entries should not be very useful here because I used the 
> samba options "inherit".
> 
> This works when john creates a file -rights are inherited- but I don't know 
> how
> to set the rights of all users but the owner to "read only" maximum because 
> for now they will get the same rights as on the parent directory.
> 
> And this doesn't work when john creates a subdirectory because the mask is
> set to "---" and the effective perms are null too !
> 
> - Note that I tested also without the inherit options. I hoped the 
> "default:"
> would do but then another problem comes: the mask is set based on the
> permissions of the group...
> 
> - So I'm stuck now ! I think the solution would be to have two more samba
> options:
>    force file acl mask = r-x
>    force directory acl mask = rwx
> 
> 
> 
> I'm sorry for having been so long. Well, if you're still here, you're maybe 
> interested...
> 
> Thank in advance for any help,
> Pierre
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 
>

More information about the samba mailing list