[Samba] ACL: need additional samba option ?

[Oliver Thinnes]

Hi.

I had the same problem but I needed ACLs for groups.

Setting the rights of 'normal' UNIX group to '---' caused the effective 
access rights of the ACL groups to be set to '---'.

Therefore I set the right of the top directory to
chown root:root DIR
chmod 2770 DIR (sticky bit for group)

Newly created directories belong the group 'root' and not the group the 
user that is connected to the share. Don't use 'force group = root' as the 
users then connect to the share with group = root.

I don't use 'inherit permissions = yes' as the UNIX bits are responsible 
for archive bit / readonly bit. And everytime you save an existing file the 
permissions are updated.

I use default ACL entries to inherit the needed permissions and don't want 
samba to change the permissions.

I agree with you that there's improved support for ACLs needed.

Quota checks UNIX user, group and other. Not entries in ACLs.

-----Original Message-----
From:	Pierre Dehaen [SMTP:dehaen at milano.drever.be]
Sent:	Tuesday, August 13, 2002 6:16 PM
To:	samba at lists.samba.org
Subject:	[Samba] ACL: need additional samba option ?

Hi All,

I need to setup the following rights behavior trhough samba and I'm 
currently
stuck after lots of unsuccessful tests. Maybe one of you has an idea or a
solution to this problem...

Here it comes:

- A share must be available only to some users belonging to the "project"
group.

That's easy:
   valid users = @project

- There are several administrator-created directories in the share
corresponding to the departments of the company. Only some users must
have access to each directory, in read only mode for some, in read/write
mode for others.

We cannot use the unix groups because of the limitation saying a user may
only be member of 15 (or 16 I don't remember) groups. So I started playing
with ACLs: each user with read or read/write access has an ACL on those
top directories and a default entry also (default:user:john:r-x for 
instance).
The mask and default mask (ACL) are set to rwx.

- Under these top directories, read only users must be able to read all 
files,
and read/write users must be able to create files and subdirectories. When 
a
file/sdir is created by a user, only that user should be able to modify or 
delete
the file/sdir unless additional rights are given by him/her through the 
windows
permissions.



The solution now:

- I created acls on the top directories, including default entries:
# ls -ld topdir
   drwx------+  7 root  other     512   Aug 13 16:00  topdir/
# getfacl topdir
   # file: topdir
   # owner: peter
   # group: noaccess
   user::rwx
   user:john:rwx
   user:johnny:rwx
   user:jack:r-x
   group::---
   mask:rwx
   other:---
   [and the same entries with default: as prefix]

Note that I set the group to "noaccess" to make sure it will not interfere 
with
the user specific rights.

- I set the following options on the samba share:
   read only = no
   inherit permissions = yes
   inherit acls = yes
   force group = noaccess

Note that default entries should not be very useful here because I used the 
samba options "inherit".

This works when john creates a file -rights are inherited- but I don't know 
how
to set the rights of all users but the owner to "read only" maximum because 
for now they will get the same rights as on the parent directory.

And this doesn't work when john creates a subdirectory because the mask is
set to "---" and the effective perms are null too !

- Note that I tested also without the inherit options. I hoped the 
"default:"
would do but then another problem comes: the mask is set based on the
permissions of the group...

- So I'm stuck now ! I think the solution would be to have two more samba
options:
   force file acl mask = r-x
   force directory acl mask = rwx



I'm sorry for having been so long. Well, if you're still here, you're maybe 
interested...

Thank in advance for any help,
Pierre
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba