[Samba] Inherit permissions question (Please help)(disclaimer)

david rankin drankin at cox-internet.com
Sat Jan 29 06:39:09 GMT 2005 

David,

    I'm kinda shooting in the dark here, but from what I remember, you need 
to be able to manage various user files without affecting the user ownership 
and while preserving the 'security' of each users files from being seen from 
everybody else. What I would do is create a group in /etc/groups -- called 
'manager' or whatever. The member(s) of the manager group would be whoever 
would need read/write access to every users files. I would then set user and 
group ownership of the user's home directories to "user.manager" via chown. 
That way cron or whatever is running as 'manager' could do whatever is 
needed globally for all users while preserving the individual user security. 
In that vein, force group = manager would assure access to the manager. The 
only fly in the ointment would be if you had a common share that all needed 
to access while you are still trying to preserve individual security to. 
But, heck, if that's the case, then individual security would be irrelevant 
unless you simply wanted to grant write access to each.

    Like I said, I'm shooting in the dark, but that is my .02 on what you 
are looking at. Linux/samba is flexible enough from a permissions standpoint 
that you can do about anything you want to. The Linux basic permissions of 
user.group.world coupled with force user, force group and inherit 
permissions along with your /etc/group definitions are the basic building 
blocks for just about anything you can think of.

    One other option would be to define an 'admin users = ' for the shares 
you want to manage. That is another option for giving a user or group of 
users rwx access to any share while preserving user privacy.

    Hope this helps. And of course the disclaimer: I'm a lawyer, who use to 
be an engineer, who still 'thinks' he can stay reasonably current on his OS 
of choice, but has to regrettably admit that I am no authority on the finer 
points of coding/samba/Linux anymore. (that stopped when I quit babysitting 
750,000 lines of FORTRAN known as SVDS (space vehicle dynamic simulation - 
the shuttle ascent launch processor in '89) (Yes that was at the time DIBS 
and DOLILU was coming online) (... and for the curious DOLILU = day of 
launch I-Load update)(uhh.. GNC, Pitch-Yaw-Roll stuff from SRB ignition to 
MECO)(uhh.. it's supposed to keep the wings from coming off going 
uphill)(and uhh.. again, ET foam shedding was never an issue while 
Martin-Marietta built the tank)(and uhh.. the Martin-Thiokol booster o-ring 
problem had been found and addressed by then [51-L] --> STS26)

--
David C. Rankin, J.D., P.E.
RANKIN LAW FIRM, PLLC
510 Ochiltree Street
Nacogdoches, Texas 75961
(936) 715-9333
(936) 715-9339 fax
www.rankin-bertin.com
--
----- Original Message ----- 
From: "David Wilson" <dave at dcdata.co.za>
To: "david rankin" <drankin at cox-internet.com>; "samba" 
<samba at lists.samba.org>
Sent: Friday, January 28, 2005 12:51 AM
Subject: Re: [Samba] Inherit permissions question (Please help)


>
> Hi David,
>
> Thanks for your reply.
> That would work but then because it's on the share for user's profiles 
> each user would then be able to access everyone elses profile.
> Please correct me if I'm wrong.
>
>
>
> Kindest regards
> David Wilson
> _______________________________
> D c D a t a
> Tel +27 33 342 7003
> Fax +27 33 345 4155
> Cell +27 82 4147413
> http://www.dcdata.co.za
> support at dcdata.co.za
> Powered by Linux, driven by passion !
> _______________________________
>
> "Computers are not intelligent. They only think they are."
>
> ----- Original Message ----- 
> From: "david rankin" <drankin at cox-internet.com>
> To: "samba" <samba at lists.samba.org>
> Sent: Friday, January 28, 2005 6:13 AM
> Subject: Re: [Samba] Inherit permissions question (Please help)
>
>
>> Sorry I'm late on this thread, but would 'force user =  ' force group = ' 
>> work?
>>
>> --
>> David C. Rankin, J.D., P.E.
>> RANKIN LAW FIRM, PLLC
>> 510 Ochiltree Street
>> Nacogdoches, Texas 75961
>> (936) 715-9333
>> (936) 715-9339 fax
>> www.rankin-bertin.com
>> --
>> ----- Original Message ----- 
>> From: "David Wilson" <dave at dcdata.co.za>
>> To: "Craig White" <craigwhite at azapple.com>; <samba at lists.samba.org>
>> Sent: Wednesday, January 26, 2005 3:26 AM
>> Subject: Re: [Samba] Inherit permissions question (Please help)
>>
>>
>>>
>>> Hi Craig,
>>>
>>> Thanks for your reply.
>>> My suggestions for using a preexec script is a sort of "last resort" 
>>> option. I could rather configure a job in cron that checks permissions.
>>> Ideally I need the "inherit permissions" option but with the ability to 
>>> also include user & group ownership. To get this done samba would 
>>> require root privileges  to change the ownership of files to that of the 
>>> parent folder - which probably wouldn't be a good idea ?
>>>
>>> Thanks for your help so far.
>>> Any assistance/input would be greatly appreciated.
>>>
>>> Kindest regards
>>> David Wilson
>>> _______________________________
>>> D c D a t a
>>> Tel +27 33 342 7003
>>> Fax +27 33 345 4155
>>> Cell +27 82 4147413
>>> http://www.dcdata.co.za
>>> support at dcdata.co.za
>>> Powered by Linux, driven by passion !
>>> _______________________________
>>>
>>> "Computers are not intelligent. They only think they are."
>>>
>>> ----- Original Message ----- 
>>> From: "Craig White" <craigwhite at azapple.com>
>>> To: <samba at lists.samba.org>
>>> Sent: Wednesday, January 26, 2005 10:41 AM
>>> Subject: Re: [Samba] Inherit permissions question (Please help)
>>>
>>>
>>>> Am I the only one that thinks it's a terrible idea? When I need to make
>>>> changes to user profiles, I use things like...
>>>>
>>>> logon script
>>>> perl/shell script updates on actual samba server
>>>>
>>>> but I suppose that you could have a 'pre-exec' script that changes the
>>>> ownership of all files in a person's profile be changed upon login.
>>>>
>>>> Craig
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>>
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
>

More information about the samba mailing list