[Samba] sub-folders security access question

Jean Carlos Coelho coelho at teltecsolutions.com.br
Fri Apr 11 09:19:55 MDT 2014 

Just thinkingŠ

	Ok, I set ACL on folder and files for groups.. Not users.. (lot work to
do). At smb.conf do I need to configura write access or read access or
permissions? Eg. (this is my share configuration ad domain PDC)...

[projects]
  comment = Projects Folder
  path = /samba/groups/project
  guest ok = No
  writeable = No
  browseable = Yes
  force user = nobody
  force group = project
  write list = @project, @ceo
read list = @project_read
  create mask = 774
  ;directory mask = 2775
  vfs objects = recycle
  recycle:repository = /samba/trash/project
  ;vfs objects = recycle scannedonly full_audit
  ;recycle:keeptree = Yes
  ;recycle:versions = Yes
  ;veto files = *.scr, *.com, *.bat, *.rmvb, *.mp3, *.pif, *.vb, *.vbs,
*.vbe, *.inf, *.run, *.reg, *.paf, *.lnk, *.cpl, *.bin, *.cmd


	Thanks! :)



On 11/04/14 11:31, "Stéphane PURNELLE" <stephane.purnelle at corman.be> wrote:

>Hi,
>
>In my point of view :
>
>groups : 
>
>directors, members : DIRECTOR
>read_folder, members : user1, user2
>project1, members : user1
>project1_read, members : user2
>project2, members : user2
>project2_read, members : user1
>
>ACL entry :
>
>FOLDER : 
>setfacl -m grp:directors:rwx FOLDER
>setfacl -d -m grp:directors:rwx FOLDER
>setfacl -m grp:read_folder:r-x FOLDER
>
>PROJECT1 : 
>setfacl -m grp:directors:rwx PROJECT1
>setfacl -d -m grp:directors:rwx PROJECT1
>setfacl -m grp:project1:rwx PROJECT1
>setfacl -d -m grp:project1:rwx PROJECT1
>setfacl -m grp:project1_read:rwx PROJECT1
>setfacl -d -m grp:project1_read:rwx PROJECT1
>
>PROJECT2 : 
>setfacl -m grp:directors:rwx PROJECT2
>setfacl -d -m grp:directors:rwx PROJECT2
>setfacl -m grp:project2:rwx PROJECT2
>setfacl -d -m grp:project2:rwx PROJECT2
>setfacl -m grp:project2_read:rwx PROJECT2
>setfacl -d -m grp:project2_read:rwx PROJECT2
>
>
>In this config : 
>
>directors group can do anything he want
>users in group project1 can do all in sub-folder PROJECT1
>users in group project2 can do all in sub-folder PROJECT2
>users in group project1_read can only read file and folders in sub-folder
>PROJECT1
>users in group project2 can only read file and folders in sub-folder
>PROJECT2
>
>the group read_folder is a group for permit user1 and user2 to read
>content (visibility) of directory FOLDER, but cannot do anything in
>FOLDER 
>directory
>
>Why -m and -d -m ?
>
>The command setfacl -m modify acl entry for a file or a directory
>If we add -d, the modification apply for default ACL entry.
>
>default acl entry mean, what ACL must be applied when I create a file or
>a 
>directory under this directory who have this ACL ?
>
>In my example, I use group because is more simple to manager than users.
>if a user12 must have access to PROJECT1,  we must just add to the group
>project1 and it work (after a logout/login of user on windows client)
>
>You can read the man of setfacl here : http://linux.die.net/man/1/setfacl
>
>hope that help you
>
>
>-----------------------------------
>Stéphane PURNELLE                         Admin. Systèmes et Réseaux
>Service Informatique       Corman S.A.           Tel : 00 32 (0)87/342467
>
>samba-bounces at lists.samba.org wrote on 11/04/2014 15:57:30:
>
>> De : Jean Carlos Coelho <coelho at teltecsolutions.com.br>
>> A : "samba at lists.samba.org" <samba at lists.samba.org>,
>> Date : 11/04/2014 16:13
>> Objet : [Samba] sub-folders security access question
>> Envoyé par : samba-bounces at lists.samba.org
>> 
>> Hi Guys!
>> 
>> A simple question..
>> 
>> I never worked with ACL's and since my costumer want some access
>> levels for some sub-foldes in shares, I am reading some manuals
>> about that.. But.. Before apply some testings, I need some advices
>> about this.. Here is my question...
>> 
>> Parent folder (share): FOLDER
>> Sub-folder1: PROJETC1
>> Sub-folder2: PROJECT2
>> User1: DIRECTOR
>> Group: Director/Projects
>> 
>> User2: Employee1
>> Group: Project1
>> 
>> User3: Employee2
>> Group: Project2
>> 
>> Scenario:
>> 
>> Director can move/rename/exclude folder from FOLDER...
>> User1 can only access/read and execute files inside PROJECT1 and read
>PROJECT2
>> User2 can only access/read and execute files inside PROJECT2 and read
>PROJECT1
>> 
>> Can I use setfacl to solve this problem? Does anyone knows some good
>> website with instructions and eg. Of usage?
>> 
>> Thank you and sorry for my bad english!
>> 
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list