[Samba] Optimal File Permissions for Shared Access Between Windows and Linux

Jonathan Szalavecz john_johnk at hotmail.com
Mon Oct 28 21:41:02 UTC 2024


For everybody to be aware of one big difficulty with setting ACLs on 
files and folders I post this link which is really interesting for 
anybody who want to manage its smb perm with ACLs

access control list - How to set Linux Default ACLs differently for 
directories and files - Server Fault 
<https://serverfault.com/questions/96514/how-to-set-linux-default-acls-differently-for-directories-and-files>

especially this link open-sys-services: How ACL & MASK work in linux? 
<https://kmaiti.blogspot.com/2011/09/acl-and-mask-in-linux.html>

After some days I am still not totally done with my ACLs.

Jonathan

Le 10/26/2024 à 9:56 PM, Kees van Vloten via samba a écrit :

>
> Op 26-10-2024 om 21:37 schreef Jonathan Szalavecz via samba:
>> Rowland,
>>
>> I realized I forgot to mention a few details about specific folders 
>> with unique permissions in /mnt/shared that I need to preserve in 
>> /mnt/shared/nas:
>>
>> 1. /mnt/shared/video_surveillance: Originally, this folder had 
>> drwxrwx--- permissions, with reolink as the owner and surveillance as 
>> the group. However, since the surveillance group has been removed, 
>> only john_johnk and reolink need read/write access.
>>
>>
>> 2. /mnt/shared/Trading/data: This directory was set up with fail2ban 
>> as the owner and root as the group, with drwx------ permissions, 
>> limiting access to just the owner. (I never understood why docker 
>> created this folder with fail2ban as the owner but that s another issue)
> Are you running the fileserver in a docker-container?
>>
>>
>>
>> Could you recommend the best approach to apply restrictive ACLs to 
>> these directories in /mnt/shared/nas while keeping permissions 
>> consistent? My goal is for john_johnk to have access without changing 
>> the restrictions for other users.
>
> Is it not as simple as adding this to your posix-acls: ?
>
> user:john_johnk:rwx
> default:user:john_johnk:rw-
>
> If you put this on a directory (in addition to the existing 
> permissions), 'john_johnk' with have 'rwx' and all new files in it 
> will inherit  'john_johnk:rw-'. For existing files and directories you 
> have to update their posix-acls.
>
> A better approach is to create a group of which john_johnk is a member 
> and set the above posix-acls on that group. With that you are flexible 
> to add and remove users to/from the group.
>
> - Kees.
>
>> Thank you for your help!
>>
>>
>> ---
>>
>> Let me know if there’s anything else you’d like to add.
>>
>>
>>
>> ________________________________
>> From: Jonathan Szalavecz <john_johnk at hotmail.com>
>> Sent: Saturday, October 26, 2024 6:12:46 PM
>> To: Rowland Penny via samba <samba at lists.samba.org>
>> Subject: Re: [Samba] Optimal File Permissions for Shared Access 
>> Between Windows and Linux
>>
>>
>> Hi Rowland,
>>
>> Thanks to your guidance, I’ve set up permissions for all directories 
>> and files under /mnt/shared as follows:
>>
>>    *   Directories have ```drwxr-xr-x permissions and are owned by 
>> root:root.```
>>    *   Files are set to ```rw-------, also with root:root``` 
>> ownership, except for executables, which have the necessary rwx 
>> permissions.
>>
>> I’d like to ensure ```john_johnk``` has read, write, and execute 
>> access across all directories and files and to set up default ACLs 
>> that make new files and directories inherit these permissions 
>> reliably. However, I’m aiming to keep the ACLs as restrictive as 
>> possible for new created folders and files.
>>
>>    1.  Could you recommend specific ACL settings using -d to set 
>> these as default permissions across the directories and files?
>>    2.  For the mask, would you suggest using --mask or --no-mask to 
>> avoid unintended permission changes?
>>
>> Once this setup is complete, I plan to rsync everything from 
>> ```/mnt/shared``` to ```/mnt/shared/nas```, excluding 
>> ```/mnt/shared/partage_de_fichiers```. Afterward, I’ll configure 
>> access for both ```john_johnk``` and ```juliette``` specifically on 
>> partage_de_fichiers.
>>
>> Your insights have been invaluable so far, and I appreciate any 
>> further advice on these ACL settings!
>>
>> Best,
>>
>> Le 10/25/2024 à 11:09 AM, Rowland Penny via samba a écrit :
>>
>> On Thu, 24 Oct 2024 15:55:41 +0200
>> Jonathan Szalavecz via samba 
>> <samba at lists.samba.org><mailto:samba at lists.samba.org> wrote:
>>
>>
>>
>> I thought with the ACL it would be easier but it is the same
>> nightmare :-(
>>
>>
>> john_johnk at raspberrypi:~ $ getfacl /mnt/shared/partage_de_fichiers
>> getfacl: Removing leading '/' from absolute path names
>> # file: mnt/shared/partage_de_fichiers
>> # owner: john_johnk
>> # group: sharedaccess
>> # flags: -s-
>> user::rwx
>> group::rwx
>> other::---
>> default:user::rw-
>> default:group::rw-
>> default:group:sharedaccess:rw-
>> default:mask::rw-
>> default:other::---
>>
>>
>> but when I create a file from DatabaseShare ...the group is wrong and
>> I have the x execution which comes from nowhere :-(
>>
>>
>> john_johnk at raspberrypi:~ $ ls -l /mnt/shared/partage_de_fichiers
>> total 102120
>>
>> -rw-rwx---+ 1 john_johnk john_johnk       73979 Oct 10  2016 'Facture
>> RAM_2.pdf'
>> -rw-rwx---+ 1 john_johnk john_johnk      125627 Dec  2  2021 'Facture
>> Tennis RNS21.pdf'
>>
>>
>>
>> One of your problems is that you are are these paths for the shares:
>>
>> /mnt/shared
>> /mnt/shared/partage_de_fichiers
>>
>> So, anyone that needs to get into partage_de_fichiers has to traverse
>> /mnt/shared
>>
>> I would have used:
>>
>> /mnt/shared/nas
>> /mnt/shared/partage_de_fichiers
>>
>> This would have lead to /mnt/shared being owned by root:root with
>> '0755' permissions, this would then have given 'others' the right to
>> traverse to the required directory.
>>
>> Then use the same ownership for the sub directories (which would
>> seemingly stop anyone writing to the directory), then use 'setfacl' to
>> give the USER the required permissions.
>>
>> Rowland
>>
>>
>>
>


More information about the samba mailing list