[Samba] sub-folders security access question

Stéphane PURNELLE stephane.purnelle at corman.be
Mon Apr 14 01:42:47 MDT 2014 

Hi,

No, all acces in managed in ACL.
Maybe just put the administrators group.

regards

        Stéphane Purnelle

-----------------------------------
Stéphane PURNELLE                         Admin. Systèmes et Réseaux 
Service Informatique       Corman S.A.           Tel : 00 32 (0)87/342467

Jean Carlos Coelho <coelho at teltecsolutions.com.br> wrote on 11/04/2014 
17:19:55:

> De : Jean Carlos Coelho <coelho at teltecsolutions.com.br>
> A : Stéphane PURNELLE <stephane.purnelle at corman.be>, 
> "samba at lists.samba.org" <samba at lists.samba.org>, 
> Date : 11/04/2014 17:20
> Objet : Re: [Samba] sub-folders security access question
> 
> Just thinkingŠ
> 
>    Ok, I set ACL on folder and files for groups.. Not users.. (lot work 
to
> do). At smb.conf do I need to configura write access or read access or
> permissions? Eg. (this is my share configuration ad domain PDC)...
> 
> [projects]
>   comment = Projects Folder
>   path = /samba/groups/project
>   guest ok = No
>   writeable = No
>   browseable = Yes
>   force user = nobody
>   force group = project
>   write list = @project, @ceo
> read list = @project_read
>   create mask = 774
>   ;directory mask = 2775
>   vfs objects = recycle
>   recycle:repository = /samba/trash/project
>   ;vfs objects = recycle scannedonly full_audit
>   ;recycle:keeptree = Yes
>   ;recycle:versions = Yes
>   ;veto files = *.scr, *.com, *.bat, *.rmvb, *.mp3, *.pif, *.vb, *.vbs,
> *.vbe, *.inf, *.run, *.reg, *.paf, *.lnk, *.cpl, *.bin, *.cmd
> 
> 
>    Thanks! :)
> 
> 
> 
> On 11/04/14 11:31, "Stéphane PURNELLE" <stephane.purnelle at corman.be> 
wrote:
> 
> >Hi,
> >
> >In my point of view :
> >
> >groups : 
> >
> >directors, members : DIRECTOR
> >read_folder, members : user1, user2
> >project1, members : user1
> >project1_read, members : user2
> >project2, members : user2
> >project2_read, members : user1
> >
> >ACL entry :
> >
> >FOLDER : 
> >setfacl -m grp:directors:rwx FOLDER
> >setfacl -d -m grp:directors:rwx FOLDER
> >setfacl -m grp:read_folder:r-x FOLDER
> >
> >PROJECT1 : 
> >setfacl -m grp:directors:rwx PROJECT1
> >setfacl -d -m grp:directors:rwx PROJECT1
> >setfacl -m grp:project1:rwx PROJECT1
> >setfacl -d -m grp:project1:rwx PROJECT1
> >setfacl -m grp:project1_read:rwx PROJECT1
> >setfacl -d -m grp:project1_read:rwx PROJECT1
> >
> >PROJECT2 : 
> >setfacl -m grp:directors:rwx PROJECT2
> >setfacl -d -m grp:directors:rwx PROJECT2
> >setfacl -m grp:project2:rwx PROJECT2
> >setfacl -d -m grp:project2:rwx PROJECT2
> >setfacl -m grp:project2_read:rwx PROJECT2
> >setfacl -d -m grp:project2_read:rwx PROJECT2
> >
> >
> >In this config : 
> >
> >directors group can do anything he want
> >users in group project1 can do all in sub-folder PROJECT1
> >users in group project2 can do all in sub-folder PROJECT2
> >users in group project1_read can only read file and folders in 
sub-folder
> >PROJECT1
> >users in group project2 can only read file and folders in sub-folder
> >PROJECT2
> >
> >the group read_folder is a group for permit user1 and user2 to read
> >content (visibility) of directory FOLDER, but cannot do anything in
> >FOLDER 
> >directory
> >
> >Why -m and -d -m ?
> >
> >The command setfacl -m modify acl entry for a file or a directory
> >If we add -d, the modification apply for default ACL entry.
> >
> >default acl entry mean, what ACL must be applied when I create a file 
or
> >a 
> >directory under this directory who have this ACL ?
> >
> >In my example, I use group because is more simple to manager than 
users.
> >if a user12 must have access to PROJECT1,  we must just add to the 
group
> >project1 and it work (after a logout/login of user on windows client)
> >
> >You can read the man of setfacl here : 
http://linux.die.net/man/1/setfacl
> >
> >hope that help you
> >
> >
> >-----------------------------------
> >Stéphane PURNELLE                         Admin. Systèmes et Réseaux
> >Service Informatique       Corman S.A.           Tel : 00 32 
(0)87/342467
> >
> >samba-bounces at lists.samba.org wrote on 11/04/2014 15:57:30:
> >
> >> De : Jean Carlos Coelho <coelho at teltecsolutions.com.br>
> >> A : "samba at lists.samba.org" <samba at lists.samba.org>,
> >> Date : 11/04/2014 16:13
> >> Objet : [Samba] sub-folders security access question
> >> Envoyé par : samba-bounces at lists.samba.org
> >> 
> >> Hi Guys!
> >> 
> >> A simple question..
> >> 
> >> I never worked with ACL's and since my costumer want some access
> >> levels for some sub-foldes in shares, I am reading some manuals
> >> about that.. But.. Before apply some testings, I need some advices
> >> about this.. Here is my question...
> >> 
> >> Parent folder (share): FOLDER
> >> Sub-folder1: PROJETC1
> >> Sub-folder2: PROJECT2
> >> User1: DIRECTOR
> >> Group: Director/Projects
> >> 
> >> User2: Employee1
> >> Group: Project1
> >> 
> >> User3: Employee2
> >> Group: Project2
> >> 
> >> Scenario:
> >> 
> >> Director can move/rename/exclude folder from FOLDER...
> >> User1 can only access/read and execute files inside PROJECT1 and read
> >PROJECT2
> >> User2 can only access/read and execute files inside PROJECT2 and read
> >PROJECT1
> >> 
> >> Can I use setfacl to solve this problem? Does anyone knows some good
> >> website with instructions and eg. Of usage?
> >> 
> >> Thank you and sorry for my bad english!
> >> 
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >-- 
> >To unsubscribe from this list go to the following URL and read the
> >instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list