[Samba] Optimal File Permissions for Shared Access Between Windows and Linux
Kees van Vloten
keesvanvloten at gmail.com
Sat Oct 26 19:56:03 UTC 2024
Op 26-10-2024 om 21:37 schreef Jonathan Szalavecz via samba:
> Rowland,
>
> I realized I forgot to mention a few details about specific folders with unique permissions in /mnt/shared that I need to preserve in /mnt/shared/nas:
>
> 1. /mnt/shared/video_surveillance: Originally, this folder had drwxrwx--- permissions, with reolink as the owner and surveillance as the group. However, since the surveillance group has been removed, only john_johnk and reolink need read/write access.
>
>
> 2. /mnt/shared/Trading/data: This directory was set up with fail2ban as the owner and root as the group, with drwx------ permissions, limiting access to just the owner. (I never understood why docker created this folder with fail2ban as the owner but that s another issue)
Are you running the fileserver in a docker-container?
>
>
>
> Could you recommend the best approach to apply restrictive ACLs to these directories in /mnt/shared/nas while keeping permissions consistent? My goal is for john_johnk to have access without changing the restrictions for other users.
Is it not as simple as adding this to your posix-acls: ?
user:john_johnk:rwx
default:user:john_johnk:rw-
If you put this on a directory (in addition to the existing
permissions), 'john_johnk' with have 'rwx' and all new files in it will
inherit 'john_johnk:rw-'. For existing files and directories you have
to update their posix-acls.
A better approach is to create a group of which john_johnk is a member
and set the above posix-acls on that group. With that you are flexible
to add and remove users to/from the group.
- Kees.
> Thank you for your help!
>
>
> ---
>
> Let me know if there’s anything else you’d like to add.
>
>
>
> ________________________________
> From: Jonathan Szalavecz <john_johnk at hotmail.com>
> Sent: Saturday, October 26, 2024 6:12:46 PM
> To: Rowland Penny via samba <samba at lists.samba.org>
> Subject: Re: [Samba] Optimal File Permissions for Shared Access Between Windows and Linux
>
>
> Hi Rowland,
>
> Thanks to your guidance, I’ve set up permissions for all directories and files under /mnt/shared as follows:
>
> * Directories have ```drwxr-xr-x permissions and are owned by root:root.```
> * Files are set to ```rw-------, also with root:root``` ownership, except for executables, which have the necessary rwx permissions.
>
> I’d like to ensure ```john_johnk``` has read, write, and execute access across all directories and files and to set up default ACLs that make new files and directories inherit these permissions reliably. However, I’m aiming to keep the ACLs as restrictive as possible for new created folders and files.
>
> 1. Could you recommend specific ACL settings using -d to set these as default permissions across the directories and files?
> 2. For the mask, would you suggest using --mask or --no-mask to avoid unintended permission changes?
>
> Once this setup is complete, I plan to rsync everything from ```/mnt/shared``` to ```/mnt/shared/nas```, excluding ```/mnt/shared/partage_de_fichiers```. Afterward, I’ll configure access for both ```john_johnk``` and ```juliette``` specifically on partage_de_fichiers.
>
> Your insights have been invaluable so far, and I appreciate any further advice on these ACL settings!
>
> Best,
>
> Le 10/25/2024 à 11:09 AM, Rowland Penny via samba a écrit :
>
> On Thu, 24 Oct 2024 15:55:41 +0200
> Jonathan Szalavecz via samba <samba at lists.samba.org><mailto:samba at lists.samba.org> wrote:
>
>
>
> I thought with the ACL it would be easier but it is the same
> nightmare :-(
>
>
> john_johnk at raspberrypi:~ $ getfacl /mnt/shared/partage_de_fichiers
> getfacl: Removing leading '/' from absolute path names
> # file: mnt/shared/partage_de_fichiers
> # owner: john_johnk
> # group: sharedaccess
> # flags: -s-
> user::rwx
> group::rwx
> other::---
> default:user::rw-
> default:group::rw-
> default:group:sharedaccess:rw-
> default:mask::rw-
> default:other::---
>
>
> but when I create a file from DatabaseShare ...the group is wrong and
> I have the x execution which comes from nowhere :-(
>
>
> john_johnk at raspberrypi:~ $ ls -l /mnt/shared/partage_de_fichiers
> total 102120
>
> -rw-rwx---+ 1 john_johnk john_johnk 73979 Oct 10 2016 'Facture
> RAM_2.pdf'
> -rw-rwx---+ 1 john_johnk john_johnk 125627 Dec 2 2021 'Facture
> Tennis RNS21.pdf'
>
>
>
> One of your problems is that you are are these paths for the shares:
>
> /mnt/shared
> /mnt/shared/partage_de_fichiers
>
> So, anyone that needs to get into partage_de_fichiers has to traverse
> /mnt/shared
>
> I would have used:
>
> /mnt/shared/nas
> /mnt/shared/partage_de_fichiers
>
> This would have lead to /mnt/shared being owned by root:root with
> '0755' permissions, this would then have given 'others' the right to
> traverse to the required directory.
>
> Then use the same ownership for the sub directories (which would
> seemingly stop anyone writing to the directory), then use 'setfacl' to
> give the USER the required permissions.
>
> Rowland
>
>
>
More information about the samba
mailing list