[Samba] Access control question.

Matt Lozier mlozier at spindletopoil.com
Mon Nov 26 20:13:58 GMT 2007


Hi Andrew,

Thanks for this.  I did think about using ACLs, but even if I set this up
(for *every* directory that our users need access to) won't they still be
able to *see* those directories even if they don't have r/w/x permission?

I'm looking for a way to setup user permissions so that they can only see
that which they have access to.

Thanks again for the pointer, and if any thought come to mind, please do
share!

---
Matt Lozier
IT Analyst
972.644.2581, ext. 248
972.661.2701  fax
 

 
The information contained in this message or any attached document is
confidential and intended only for the individual(s) or entity to which it
is addressed.   The information should be considered privileged and
confidential.  If you are not the intended recipient, you are hereby
notified that any unauthorized use of the information contained in or
transmitted with the communication, or dissemination, distribution, or
copying of this communication is strictly prohibited by law.  If you have
received this communication in error, please inform the sender by
immediately returning this communication to the sender and then deleting the
original message and any copy of it in your possession.
-----Original Message-----
From: Andrew Sherlock-CF [mailto:andrew.sherlock at bbc.co.uk] 
Sent: Thursday, November 22, 2007 8:34 AM
To: Matt Lozier; samba at lists.samba.org
Subject: RE: [Samba] Access control question.

Hi Matt,

You may wish to look into the 'setfacl' command.

http://bama.ua.edu/cgi-bin/man-cgi?setfacl+1

Hope this helps!

------------------- 

> -----Original Message-----
> From: Matt Lozier [mailto:mlozier at spindletopoil.com] 
> Sent: 21 November 2007 17:39
> To: Andrew Sherlock-CF; samba at lists.samba.org
> Subject: RE: [Samba] Access control question.
> 
> Hi Andrew,
> 
> Thank you for your response.  The only problem with going 
> this route is that
> I really need to have finer grain control over what the users 
> are able to
> access.
> 
> I have situations where user1 needs to have access to 
> /smbshare/dir1 and
> dir3 then user2 needs to have access to /smbshare/dir1/subdir1 and
> /smbshare/dir3, but *no* access to /smbshare/dir1.  I suppose 
> that the real
> problem lies in the poor setup of the root /smbshare.  
> However, any changes
> to this configuration are out of the question because too 
> many people who
> are resistant to change already understand things the way they are ;-)
> 
> If I understand LDAP properly (I'm new to this technology) 
> then I should be
> able to store user permissions in the LDAP database, no?
> 
> Thanks,
> Matt
> 
> 
> -----Original Message-----
> From: Andrew Sherlock-CF [mailto:andrew.sherlock at bbc.co.uk] 
> Sent: Wednesday, November 21, 2007 11:07 AM
> To: Matt Lozier; samba at lists.samba.org
> Subject: RE: [Samba] Access control question.
> 
> Is it out of the question to create many different shares and then
> secure the system on a per-share basis?
> 
> I'm securing shares individually using Active Directory.
> In each share config I have:
> valid users=@MR_ADGROUP_FOR_WRITING @MR_ADGROUP_FOR_READING
> write list=@MR_ADGROUP_FOR_WRITING
> read list=@MR_ADGROUP_FOR_READING
> 
> Create different groups for each share and you're golden.
> 
> Of course, this model can be followed without AD.
> 
> ------------------- 
> 
> > -----Original Message-----
> > From: samba-bounces+andrew.sherlock=bbc.co.uk at lists.samba.org 
> > [mailto:samba-bounces+andrew.sherlock=bbc.co.uk at lists.samba.or
> > g] On Behalf Of Matt Lozier
> > Sent: 21 November 2007 15:58
> > To: samba at lists.samba.org
> > Subject: [Samba] Access control question.
> > 
> > Hello,
> > 
> >  
> > 
> > I have a general administrative question concerning Samba shares.
> > 
> >  
> > 
> > I have a large amount of data that about 25 users have 
> > limited access to.  I
> > only want these users to have access to a sub-set of this 
> > data, but I also
> > only want the users to see that which they have access to.
> > 
> >  
> > 
> > So, for example, suppose that the share looks like thus: 
> > 
> > /smbshare
> > 
> > /smbshare/dir1
> > 
> > /smbshare/dir2
> > 
> > /smbshare/dir3
> > 
> >  
> > 
> > And I only want the users to see that they have access to 
> > /smbshare/dir1 and
> > /smbshare/dir3.  The way that this is currently setup is that I have
> > symlinks from the user's home directory to /smbshare/dir1 and
> > /smbshare/dir3.  That way then the user maps their home 
> > share, they only see
> > dir1 and dir3 - dir2 is out of sight, and thus (hopefully) 
> > out of mind.
> > 
> >  
> > 
> > Is there a better way to implement what I'm trying to do?  
> > I'm currently
> > looking into setting up permissions as an LDAP directory and 
> > using this as
> > the means to control access to the data - have also 
> > considered using ACLs -
> > not sure which way to go!
> > 
> >  
> > 
> > Any and all help / input is appreciated.
> > 
> >  
> > 
> > Thank you,
> > 
> > Matt
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/listinfo/samba
> > 
> 
> http://www.bbc.co.uk/
> This e-mail (and any attachments) is confidential and may 
> contain personal
> views which are not the views of the BBC unless specifically stated.
> If you have received it in error, please delete it from your system.
> Do not use, copy or disclose the information in any way nor 
> act in reliance
> on it and notify the sender immediately.
> Please note that the BBC monitors e-mails sent or received.
> Further communication will signify your consent to this.
> 					
> 
> 

http://www.bbc.co.uk/
This e-mail (and any attachments) is confidential and may contain personal
views which are not the views of the BBC unless specifically stated.
If you have received it in error, please delete it from your system.
Do not use, copy or disclose the information in any way nor act in reliance
on it and notify the sender immediately.
Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.
					



More information about the samba mailing list