[Samba] Re: samba permissions problem

Chris de Vidal cdevidal at yahoo.com
Sat Feb 15 03:29:35 GMT 2003


--- juan <j0876car at telocity.com> wrote:
> Here is the situation.  I have setup a samba server
> to authenticate against
> Active Directory.  I have created a group under my
> linux server and created
> all the accounts that need to access the share on
> the samba server.  I gave
> the group the rights to the samba share, but when a
> user adds to the share a
> file or directory and I view the permissions under
> linux the owner of that
> new file, or directory is not the group anymore, its
> the creator.  which
> creates a big problem because the group needs total
> access to any directory
> under the share and needs to have full access which
> I setup intially but
> when a user in the group creates a file he or she
> own it and other users can
> write to that directory.

This involves a basic but obscure feature of Unix
security I didn't learn about until recently: Set
Group ID (sgid) on directories.  New files and
directories created inside it inherit the group ID,
and anyone in that group will automatically share
permissions.

You first chmod all directories (NOT files) in your
share:
find /path/to/share -type d -print0 | xargs -0 chmod
g+s
Explanation:
find = the find command, which finds files matching
criteria
/path/to/share = any directory where you want to apply
inheritence
-type d = Directories
-print0 = Print with no newlines, for xargs to read
| = run this command on the output
xargs = run a command on each line input
-0 = data comes in with no newlines
chmod = change mode
g+rwxs = read, write, execute (browse), and set group
id

Then you chgrp all files:
chgrp -R /path/to/share
Explanation:
chgrp = change group of the files/folders
-R = Recursive

Finally, add members to your group:
gpasswd -a <user> <group>
Explanation:
gpasswd = the group password command, but we're not
setting a password here
-a = Add

Have the users log out and back in again to take
effect.

>From then on, all files created in that directory will
be in the same group.  The user doesn't truly matter,
as long as you have at least ---r-x--- for group
read-only directories, ---rwx--- for group writeable
directories, ---r----- for group readable files,
---rw---- for group writeable files.  At least those
permissions.  You could then safely remove "other"
permissions to prevent a breech in security, as
everyone should be in that group to have access.


This is also useful with Winbind and "winbind use
default domain = yes" in smb.conf.  I can create a
group:

groupadd smbwrite

Add some users from my NT domain into it:

for USER in chris steve mike; do
    gpasswd -a $USER smbwrite
done

Set my permissions:

find /share/mis -type d -print0 | xargs -0 chmod g+s

And then set the group ID:
chgrp -R smbwrite /share/mis


Also, sgid is the 2 bit in the first number of octal
permissions (e.g. chmod 2770 some_directory).


Don't forget to have your users log out before trying,
and good luck.
/dev/idal

__________________________________________________
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day
http://shopping.yahoo.com


More information about the samba mailing list