[Samba] sub-folders security access question

Stéphane PURNELLE stephane.purnelle at corman.be
Fri Apr 11 08:31:52 MDT 2014 

Hi,

In my point of view : 

groups : 

directors, members : DIRECTOR
read_folder, members : user1, user2
project1, members : user1
project1_read, members : user2
project2, members : user2
project2_read, members : user1

ACL entry :

FOLDER : 
setfacl -m grp:directors:rwx FOLDER
setfacl -d -m grp:directors:rwx FOLDER
setfacl -m grp:read_folder:r-x FOLDER

PROJECT1 : 
setfacl -m grp:directors:rwx PROJECT1
setfacl -d -m grp:directors:rwx PROJECT1
setfacl -m grp:project1:rwx PROJECT1
setfacl -d -m grp:project1:rwx PROJECT1
setfacl -m grp:project1_read:rwx PROJECT1
setfacl -d -m grp:project1_read:rwx PROJECT1

PROJECT2 : 
setfacl -m grp:directors:rwx PROJECT2
setfacl -d -m grp:directors:rwx PROJECT2
setfacl -m grp:project2:rwx PROJECT2
setfacl -d -m grp:project2:rwx PROJECT2
setfacl -m grp:project2_read:rwx PROJECT2
setfacl -d -m grp:project2_read:rwx PROJECT2


In this config : 

directors group can do anything he want
users in group project1 can do all in sub-folder PROJECT1
users in group project2 can do all in sub-folder PROJECT2
users in group project1_read can only read file and folders in sub-folder 
PROJECT1
users in group project2 can only read file and folders in sub-folder 
PROJECT2

the group read_folder is a group for permit user1 and user2 to read 
content (visibility) of directory FOLDER, but cannot do anything in FOLDER 
directory

Why -m and -d -m ?

The command setfacl -m modify acl entry for a file or a directory
If we add -d, the modification apply for default ACL entry.

default acl entry mean, what ACL must be applied when I create a file or a 
directory under this directory who have this ACL ?

In my example, I use group because is more simple to manager than users.
if a user12 must have access to PROJECT1,  we must just add to the group 
project1 and it work (after a logout/login of user on windows client)

You can read the man of setfacl here : http://linux.die.net/man/1/setfacl

hope that help you


-----------------------------------
Stéphane PURNELLE                         Admin. Systèmes et Réseaux 
Service Informatique       Corman S.A.           Tel : 00 32 (0)87/342467

samba-bounces at lists.samba.org wrote on 11/04/2014 15:57:30:

> De : Jean Carlos Coelho <coelho at teltecsolutions.com.br>
> A : "samba at lists.samba.org" <samba at lists.samba.org>, 
> Date : 11/04/2014 16:13
> Objet : [Samba] sub-folders security access question
> Envoyé par : samba-bounces at lists.samba.org
> 
> Hi Guys!
> 
> A simple question..
> 
> I never worked with ACL's and since my costumer want some access 
> levels for some sub-foldes in shares, I am reading some manuals 
> about that.. But.. Before apply some testings, I need some advices 
> about this.. Here is my question...
> 
> Parent folder (share): FOLDER
> Sub-folder1: PROJETC1
> Sub-folder2: PROJECT2
> User1: DIRECTOR
> Group: Director/Projects
> 
> User2: Employee1
> Group: Project1
> 
> User3: Employee2
> Group: Project2
> 
> Scenario:
> 
> Director can move/rename/exclude folder from FOLDER...
> User1 can only access/read and execute files inside PROJECT1 and read 
PROJECT2
> User2 can only access/read and execute files inside PROJECT2 and read 
PROJECT1
> 
> Can I use setfacl to solve this problem? Does anyone knows some good
> website with instructions and eg. Of usage?
> 
> Thank you and sorry for my bad english!
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list