[Samba] Subfolders and permissions

Scott Lovenberg scott.lovenberg at gmail.com
Wed Feb 20 19:55:03 GMT 2008


Paul Rijke wrote:
> Hi,
>
>  
>
> I have currently a department called HRM which have their own share
> /data/hrm
>
>  
>
> Within that share is a folder called recruitment.
>
>  
>
> We recently hired an external recruiter to do some work for us. The folder
> is /data/hrm/recruitment
>
>  
>
> How can I enforce that this person can only read and write in this
> directory? Look below, is this the way to go? How would you handle this?
>
>  
>
> My config:
>
> #======================= Global Settings
> =====================================
>
> [global]
>
>             dns proxy = no 
>
>             log file = /var/log/samba/log.%m
>
>             netbios name = srv01
>
>             load printers = yes
>
>             server string = srv01.mydomain.com
>
>  
>
>             workgroup = MYDOMAIN
>
>             os level = 20
>
>             username map = /usr/local/etc/samba/smbusers
>
>             
>
>             encrypt passwords = yes
>
>             hosts allow = 192.168.20. 127.
>
>             security = user
>
>             max log size = 50
>
>  
>
> #============================ Share Definitions
> ==============================
>
>  
>
> # the "staff" group
>
> [hrm]
>
>             writeable = yes
>
>             path = /data/hrm
>
>             write list = @hrm
>
>             force group = hrm
>
>             valid users = @hrm
>
>             create mode = 764
>
>             directory mode = 774
>
>  
>
> [recruitment]
>
>             comment = Recruitment Share
>
>             valid users = @recruitment
>
>             writeable = yes
>
>             path = /data/hrm/recruitment
>
>             write list = @recruitment
>
>             force group = recruitment
>
>             create mode = 764
>
>             directory mode = 774
>
>   
Personally, I'd do this at the file system level.  Put them in a group 
such that they don't have any permissions other than traverse (751 
permissions or so) parent directories, and make them the owner of the 
recruitment directory with a 2770 permission on the directory.  If you 
need to add more recruiters, just add them to the recruitment group.


So, it'd look like this:
user: recruiter
group: recruitment

/data/hrm (perms - root.users rwxrwx--x)
/data/hrm/recruitment (perms - recruiter.recruitment rwxrwt---)

Then just give them a link to /data/hrm/recruitment on their desktop or 
something (or map a drive on logon with the logon script).  This is, of 
course, just one way to do it.
  I usually like to handle permissions at the lowest level.


More information about the samba mailing list