[Samba] ACL: need additional samba option ?
Pierre Dehaen
dehaen at milano.drever.be
Mon Aug 26 02:06:00 GMT 2002
Thanks Oliver,
Your solution looks great ! I'm currently testing it. One thing I already noted -
although not a problem here- is that a file/directory created in the share will
show, respectively, r--/r-x as rights for "other" instead of "---".
My only concern left is about finding a way to let, by default, only the owner of
a file update it. If user1 and user2 have the right (acl) to create a file in a
directory, they can also update each other's file. I cannot set the default acl
entries on the directory to r-x because of they need rwx on subdirectories
they create.
To summaries my point: I think the concept of "default" acl entries is bad, we
should have the possibility to create "defaultfile:..." and "defaultdir:..." entries !
It could be possible to circumvent that problem with some new samba
options.
Thanks again,
Pierre
On 20 Aug 2002 at 10:01, Oliver Thinnes wrote:
> Hi.
>
> I had the same problem but I needed ACLs for groups.
>
> Setting the rights of 'normal' UNIX group to '---' caused the effective
> access rights of the ACL groups to be set to '---'.
>
> Therefore I set the right of the top directory to
> chown root:root DIR
> chmod 2770 DIR (sticky bit for group)
>
> Newly created directories belong the group 'root' and not the group the
> user that is connected to the share. Don't use 'force group = root' as the
> users then connect to the share with group = root.
>
> I don't use 'inherit permissions = yes' as the UNIX bits are responsible
> for archive bit / readonly bit. And everytime you save an existing file the
> permissions are updated.
>
> I use default ACL entries to inherit the needed permissions and don't want
> samba to change the permissions.
>
> I agree with you that there's improved support for ACLs needed.
>
> Quota checks UNIX user, group and other. Not entries in ACLs.
>
> -----Original Message-----
> From: Pierre Dehaen [SMTP:dehaen at milano.drever.be]
> Sent: Tuesday, August 13, 2002 6:16 PM
> To: samba at lists.samba.org
> Subject: [Samba] ACL: need additional samba option ?
>
> Hi All,
>
> I need to setup the following rights behavior trhough samba and I'm
> currently
> stuck after lots of unsuccessful tests. Maybe one of you has an idea or a
> solution to this problem...
>
> Here it comes:
>
> - A share must be available only to some users belonging to the "project"
> group.
>
> That's easy:
> valid users = @project
>
> - There are several administrator-created directories in the share
> corresponding to the departments of the company. Only some users must
> have access to each directory, in read only mode for some, in read/write
> mode for others.
>
> We cannot use the unix groups because of the limitation saying a user may
> only be member of 15 (or 16 I don't remember) groups. So I started playing
> with ACLs: each user with read or read/write access has an ACL on those
> top directories and a default entry also (default:user:john:r-x for
> instance).
> The mask and default mask (ACL) are set to rwx.
>
> - Under these top directories, read only users must be able to read all
> files,
> and read/write users must be able to create files and subdirectories. When
> a
> file/sdir is created by a user, only that user should be able to modify or
> delete
> the file/sdir unless additional rights are given by him/her through the
> windows
> permissions.
>
>
>
> The solution now:
>
> - I created acls on the top directories, including default entries:
> # ls -ld topdir
> drwx------+ 7 root other 512 Aug 13 16:00 topdir/
> # getfacl topdir
> # file: topdir
> # owner: peter
> # group: noaccess
> user::rwx
> user:john:rwx
> user:johnny:rwx
> user:jack:r-x
> group::---
> mask:rwx
> other:---
> [and the same entries with default: as prefix]
>
> Note that I set the group to "noaccess" to make sure it will not interfere
> with
> the user specific rights.
>
> - I set the following options on the samba share:
> read only = no
> inherit permissions = yes
> inherit acls = yes
> force group = noaccess
>
> Note that default entries should not be very useful here because I used the
> samba options "inherit".
>
> This works when john creates a file -rights are inherited- but I don't know
> how
> to set the rights of all users but the owner to "read only" maximum because
> for now they will get the same rights as on the parent directory.
>
> And this doesn't work when john creates a subdirectory because the mask is
> set to "---" and the effective perms are null too !
>
> - Note that I tested also without the inherit options. I hoped the
> "default:"
> would do but then another problem comes: the mask is set based on the
> permissions of the group...
>
> - So I'm stuck now ! I think the solution would be to have two more samba
> options:
> force file acl mask = r-x
> force directory acl mask = rwx
>
>
>
> I'm sorry for having been so long. Well, if you're still here, you're maybe
> interested...
>
> Thank in advance for any help,
> Pierre
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
>
>
More information about the samba
mailing list