[Samba] ACL: need additional samba option ?
dehaen at milano.drever.be
Tue Aug 13 07:18:01 GMT 2002
I need to setup the following rights behavior trhough samba and I'm currently
stuck after lots of unsuccessful tests. Maybe one of you has an idea or a
solution to this problem...
Here it comes:
- A share must be available only to some users belonging to the "project"
valid users = @project
- There are several administrator-created directories in the share
corresponding to the departments of the company. Only some users must
have access to each directory, in read only mode for some, in read/write
mode for others.
We cannot use the unix groups because of the limitation saying a user may
only be member of 15 (or 16 I don't remember) groups. So I started playing
with ACLs: each user with read or read/write access has an ACL on those
top directories and a default entry also (default:user:john:r-x for instance).
The mask and default mask (ACL) are set to rwx.
- Under these top directories, read only users must be able to read all files,
and read/write users must be able to create files and subdirectories. When a
file/sdir is created by a user, only that user should be able to modify or delete
the file/sdir unless additional rights are given by him/her through the windows
The solution now:
- I created acls on the top directories, including default entries:
# ls -ld topdir
drwx------+ 7 root other 512 Aug 13 16:00 topdir/
# getfacl topdir
# file: topdir
# owner: peter
# group: noaccess
[and the same entries with default: as prefix]
Note that I set the group to "noaccess" to make sure it will not interfere with
the user specific rights.
- I set the following options on the samba share:
read only = no
inherit permissions = yes
inherit acls = yes
force group = noaccess
Note that default entries should not be very useful here because I used the
samba options "inherit".
This works when john creates a file -rights are inherited- but I don't know how
to set the rights of all users but the owner to "read only" maximum because
for now they will get the same rights as on the parent directory.
And this doesn't work when john creates a subdirectory because the mask is
set to "---" and the effective perms are null too !
- Note that I tested also without the inherit options. I hoped the "default:"
would do but then another problem comes: the mask is set based on the
permissions of the group...
- So I'm stuck now ! I think the solution would be to have two more samba
force file acl mask = r-x
force directory acl mask = rwx
I'm sorry for having been so long. Well, if you're still here, you're maybe
Thank in advance for any help,
More information about the samba