[Samba] ACLs, groups and suid-bit?
L.P.H. van Belle
belle at bazuin.nl
Wed Sep 9 09:40:03 UTC 2020
Forgot the send this yesterday, but here you go.
For anyone that wants a better understanding of linux rights and acl's AND windows.
Play with this.
And yes, its a lot of folders that are created here, but it is usefull..
It creates with install (chmod+chown+mkdir in one) the folders.
For example. 1700 give in windows
1. Creator Owner.
7. owner
0 deny
0 deny
But there are more and lots dont use it.
So a little script that creates the folders for you and you can play and check rights.
#!/bin/bash
# Put a path from a share in here.
FOLDER_IN_SHARE=/srv/samba/share/
mkdir $FOLDER_IN_SHARE/test
cd $FOLDER_IN_SHARE/test
# creating some rights.
# the first of 4 of the rights
for A in 1 2 3 4 5 6 7
do
# the second of 4 of the rights. I only used 7 and 5 (x7xx) (x5xx)
# you can add more, but more is more folders..
for B in 7 5
do
# the thirth of 4 of the rights.
for C in 7 5
do
# last number of 4 of the rights.
for D in 0 1 5 7
do
# install does, mkdir, chown, chmod in one go.
# Create folder testfolder-XXXX owner root, group root, with rights ABCD
install -d testfolder-${A}${B}${C}${D} -oroot -groot -m${A}${B}${C}${D}
done
done
done
done
cd ..
exit 0
Now, get a windows pc, login as the Domain Administrator
And look up the rights in windows from all folders created.
Add a group, see what i does.
Try, without adding UID/GIDS before you change a security setting
And try wil you added UID/GIDS before you change a security setting
And verify the rights with getfacl
And now you know that.
Stop using chmod, start using [s,g]etfacl ;-)
You can use mkdir/install/chmod/chown when you setup the first folders.
But once you use them in windows, stop useing chmod/chown
But you can make it youself more easy by, setting up a folder from within windows, completely
And use samba-tool to copy the SDDL. (Security Descriptor Definition Language)
An example shown here, how i do it.
https://github.com/thctlo/samba4/blob/master/samba-fix-userhome-recursive.sh
Good luck..
Greetz,
Louis
(Invest in yourself, its the cheapest way to gain.)
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Harald Hannelius via samba
> Verzonden: dinsdag 8 september 2020 16:45
> Aan: Rowland penny
> CC: sambalist
> Onderwerp: Re: [Samba] ACLs, groups and suid-bit?
>
>
> On Tue, 8 Sep 2020, Rowland penny via samba wrote:
> > On 08/09/2020 14:43, Harald Hannelius wrote:
> >> On Tue, 8 Sep 2020, Rowland penny via samba wrote:
> >>> On 08/09/2020 13:55, Harald Hannelius wrote:
> >>>> On Tue, 8 Sep 2020, Rowland penny via samba wrote:
> >>>>> On 08/09/2020 13:27, Harald Hannelius via samba wrote:
> [snip]
> >>> The 'new and improved way' is to make use of this:
> >>>
> >>> vfs objects = acl_xattr
> >>
> >> This doesn't say much to me (reading the man-page of
> smb.conf). Does it
> >> mean to store ACL's in the extra attributes in the
> underlying filesystem?
> >
> > Yes, it works like this:
> >
> > there is the normal Unix 'ugo' permissions
> >
> > Then there are permissions that can be set with setfacl,
> these are stored in
> > an acl
> >
> > Finally there are the permissions that are created from
> Windows which are
> > stored in extended attributes.
>
> Thanks.
>
> >>> You set the permissions from Windows, try reading this:
> >>>
> >>>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >>
> >> If I don't have a Windows computer, can I use setfacl or chmod?
> > You could try setfacl
>
> Good, until now I haven't even used ACL on that filesystem.
> setgid and chmod
> have been enough until now.
>
> >> Can I just stop using ACL's and go back to the old way of
> reading the
> >> permissions from the unix permissions? User's don't know
> how to, don't have
> >> the interest to, or don't want to do this themselves. Nor
> do I want to
> >> manage the ACL's at all, most certainly not through a GUI
> (on Windows).
> > No, you are running an AD domain now.
>
> As per my other reply that (sadly) forked this thread 'nt acl
> support = No'
> and 'inherit permissions = Yes' did exactly what I wanted.
>
> I couldn't understand why files created in a directory with
> group 'it' and
> setgid set didn't get to be owned by the group 'it' but
> rather by the group
> 'users'.
>
> >> I have to test 'inherit permissions (S)' as well.
> >>
> >> What I want is for new files in the directory to have the
> same (unix) group
> >> ownership as the directory has. And that they have write
> permission for
> >> that unix-group.
> > OK, stop using your group, (which raises a question: you
> have (unix) above,
> > does this mean a group in /etc/group or a group in AD with
> a gidNumber
> > attribute ?), use Domain Users instead, all yours are
> members of Domain
> > Users.
>
> By unix-group I actually meant the group on the filesystem
> (gidNumber). This
> resolves through winbind to an AD-group.
>
> But now I have directories each with their own group, and with the
> setgid- and write-bit set. And directories created under this get the
> same group owner ship as the parent dir, the group write- and
> setgid bit,
> and files created get the group ownership of the parent dir
> and the group
> write bit set.
>
> I think it's best for this implementation to not use ACL's.
>
>
> --
>
> Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list