[Samba] Optimal File Permissions for Shared Access Between Windows and Linux

Jonathan Szalavecz john_johnk at hotmail.com
Sat Oct 26 19:37:49 UTC 2024


Rowland,

I realized I forgot to mention a few details about specific folders with unique permissions in /mnt/shared that I need to preserve in /mnt/shared/nas:

1. /mnt/shared/video_surveillance: Originally, this folder had drwxrwx--- permissions, with reolink as the owner and surveillance as the group. However, since the surveillance group has been removed, only john_johnk and reolink need read/write access.


2. /mnt/shared/Trading/data: This directory was set up with fail2ban as the owner and root as the group, with drwx------ permissions, limiting access to just the owner. (I never understood why docker created this folder with fail2ban as the owner but that s another issue)



Could you recommend the best approach to apply restrictive ACLs to these directories in /mnt/shared/nas while keeping permissions consistent? My goal is for john_johnk to have access without changing the restrictions for other users.

Thank you for your help!


---

Let me know if there’s anything else you’d like to add.



________________________________
From: Jonathan Szalavecz <john_johnk at hotmail.com>
Sent: Saturday, October 26, 2024 6:12:46 PM
To: Rowland Penny via samba <samba at lists.samba.org>
Subject: Re: [Samba] Optimal File Permissions for Shared Access Between Windows and Linux


Hi Rowland,

Thanks to your guidance, I’ve set up permissions for all directories and files under /mnt/shared as follows:

  *   Directories have ```drwxr-xr-x permissions and are owned by root:root.```
  *   Files are set to ```rw-------, also with root:root``` ownership, except for executables, which have the necessary rwx permissions.

I’d like to ensure ```john_johnk``` has read, write, and execute access across all directories and files and to set up default ACLs that make new files and directories inherit these permissions reliably. However, I’m aiming to keep the ACLs as restrictive as possible for new created folders and files.

  1.  Could you recommend specific ACL settings using -d to set these as default permissions across the directories and files?
  2.  For the mask, would you suggest using --mask or --no-mask to avoid unintended permission changes?

Once this setup is complete, I plan to rsync everything from ```/mnt/shared``` to ```/mnt/shared/nas```, excluding ```/mnt/shared/partage_de_fichiers```. Afterward, I’ll configure access for both ```john_johnk``` and ```juliette``` specifically on partage_de_fichiers.

Your insights have been invaluable so far, and I appreciate any further advice on these ACL settings!

Best,

Le 10/25/2024 à 11:09 AM, Rowland Penny via samba a écrit :

On Thu, 24 Oct 2024 15:55:41 +0200
Jonathan Szalavecz via samba <samba at lists.samba.org><mailto:samba at lists.samba.org> wrote:



I thought with the ACL it would be easier but it is the same
nightmare :-(


john_johnk at raspberrypi:~ $ getfacl /mnt/shared/partage_de_fichiers
getfacl: Removing leading '/' from absolute path names
# file: mnt/shared/partage_de_fichiers
# owner: john_johnk
# group: sharedaccess
# flags: -s-
user::rwx
group::rwx
other::---
default:user::rw-
default:group::rw-
default:group:sharedaccess:rw-
default:mask::rw-
default:other::---


but when I create a file from DatabaseShare ...the group is wrong and
I have the x execution which comes from nowhere :-(


john_johnk at raspberrypi:~ $ ls -l /mnt/shared/partage_de_fichiers
total 102120

-rw-rwx---+ 1 john_johnk john_johnk       73979 Oct 10  2016 'Facture
RAM_2.pdf'
-rw-rwx---+ 1 john_johnk john_johnk      125627 Dec  2  2021 'Facture
Tennis RNS21.pdf'



One of your problems is that you are are these paths for the shares:

/mnt/shared
/mnt/shared/partage_de_fichiers

So, anyone that needs to get into partage_de_fichiers has to traverse
/mnt/shared

I would have used:

/mnt/shared/nas
/mnt/shared/partage_de_fichiers

This would have lead to /mnt/shared being owned by root:root with
'0755' permissions, this would then have given 'others' the right to
traverse to the required directory.

Then use the same ownership for the sub directories (which would
seemingly stop anyone writing to the directory), then use 'setfacl' to
give the USER the required permissions.

Rowland





More information about the samba mailing list