LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-28-2014, 07:25 AM   #1
Mumoto
LQ Newbie
 
Registered: Mar 2014
Posts: 7

Rep: Reputation: Disabled
Centos 6.5 - Shared folder permissions help needed


Dear users,

For school I have an open assignment which states that I should create 10 users scattered over 5 departments with their own department-folder. Users of the same department should be able to access files of their colleagues (Read/Write/Execute/NOT DELETE).

The BOSS department however should be able to access every user's files(access to all departments)(Read/Write/Execute/NOT DELETE).


My teacher stated that there's tons of ways on how to do this but this is what I have so far:
#FOR EASE OF READING I TRUNCATED THE SCRIPT SO THAT IT ONLY SHOWS A FEW DEPARTMENTS/USERS#

SCRIPT
Code:
groupadd -g 750 -f Boss
groupadd -g 751 -f Sales

mkdir /home/Boss
mkdir /home/Sales

chown -R :Boss /home/Boss
chown -R :Sales /home/Sales

setfacl -Rm g:Boss:rwx /home/Boss
setfacl -Rm g:Boss:rwx /home/Sales

chmod 1770 /home/Boss -R
chmod 1770 /home/Sales -R

newusers users.txt

chage -d 0 -m 0 -M 90 boss
chage -d 0 -m 0 -M 90 employee
Users.txt
Code:
m.boss:hello123:1001:750:Mister Boss:/home/Boss/m.boss:/bin/bash
j.doe:hello123:1002:751:John Doe:/home/Sales/j.doe:/bin/bash
What I'm trying to accomplish:
Folder structure: /home/DEPARTMENT/USER
Boss rights: Boss-users should be able to access ALL files in ANY department. (Read/Write/Execute)
User rights: Standard users should be able to access files of colleagues in the SAME department. (Read/Write/Execute)
Only the creator of the file or directory should have rights to delete.

My reasoning for creating the folder structure as is because it should make rights-delivering easier. Not sure if this way is best or correct at all.


My problem however is that although I can read newly created files it does not inherit rights from the original directories.
For example:
new.txt created by j.doe in /home/Sales/ or /home/Sales/j.doe only inherits 'READ'-rights for the group.

I want users of the same GROUP to be able to Read/Write/Execute but only the original creator of the file/directory should be able to delete.

Last edited by Mumoto; 03-28-2014 at 07:29 AM.
 
Old 03-28-2014, 08:37 AM   #2
mddnix
Member
 
Registered: Mar 2013
Distribution: Redhat, Ubuntu
Posts: 525

Rep: Reputation: 141Reputation: 141
Create group Boss and some users
Code:
# groupadd -g 6000 Boss
# useradd -G Boss spiderman
# useradd -G Boss superman
Create group Sales and some users
Code:
# groupadd -g 5000 Sales
# useradd -G Sales tom
# useradd -G Sales dick
# useradd -G Sales harry
Check group users
Code:
# grep '^Sales\|Boss' /etc/group
Sales:x:5000:tom,dick,harry
Boss:x:6000:spiderman,superman
Create shared dir for Sales with setgid and stickybit with nobody as owner
Code:
# mkdir /SalesDir
# chown -R nobody:Sales /SalesDir
# chmod -R 3770 /SalesDir
Create shared dir for Boss with setgid and stickybit with nobody as owner
Code:
# mkdir /BossDir
# chown -R nobody:Boss /BossDir
# chmod -R 3770 /BossDir
Finally allow Boss user to access Sales dir
Code:
# setfacl -m g:Boss:rwx /SalesDir
 
Old 03-28-2014, 08:46 AM   #3
mddnix
Member
 
Registered: Mar 2013
Distribution: Redhat, Ubuntu
Posts: 525

Rep: Reputation: 141Reputation: 141
On second thought, since the owner of group is 'nobody', its safe and best to give permissions 3070
Code:
# chmod -R 3070 /SalesDir
# chmod -R 3070 /BossDir
 
Old 03-28-2014, 09:23 AM   #4
Mumoto
LQ Newbie
 
Registered: Mar 2014
Posts: 7

Original Poster
Rep: Reputation: Disabled
chown settings and chmod 3070 gives me the errors as seen in the images attached to this post.



chown settings and chmod 3770 gives me the following:
Boss-users: are able to read/create files in department-directories but are not able to access user-directories from other departments or EDIT files.
Group users: are able to create files/directories and READ/ACCESS files created in the same department-directory/ user-directory but not EDIT.
Attached Thumbnails
Click image for larger version

Name:	1.jpg
Views:	9
Size:	40.3 KB
ID:	15080   Click image for larger version

Name:	2.jpg
Views:	4
Size:	42.0 KB
ID:	15081   Click image for larger version

Name:	3.jpg
Views:	6
Size:	64.4 KB
ID:	15082  
 
Old 03-28-2014, 09:38 AM   #5
Mumoto
LQ Newbie
 
Registered: Mar 2014
Posts: 7

Original Poster
Rep: Reputation: Disabled
Found this:
Code:
setfacl -dRm g:Boss:rwx: /home/Boss
setfacl -dRm g:Boss:rwx,g:Sales:rwx /home/Sales
Users are now able to:
- Create files/directories in Department-directory and user-directories of the same department.
- Access/View/Edit files created by other users in the same department.
- Not able to delete directories/files created by somebody else.


Found another issue while using my UNDO-script:
While deleting the user it claims the user-directory is not owned by them. I fixed this by removing the 'nobody'-portion of the chown-script. This makes root the owner of the department-directories and the users owner of their own folder.

EDIT:
What remains to be fixed is:
- Boss-users able to access/view/edit files in other departments.

Last edited by Mumoto; 03-28-2014 at 10:47 AM.
 
Old 03-28-2014, 10:49 AM   #6
mddnix
Member
 
Registered: Mar 2013
Distribution: Redhat, Ubuntu
Posts: 525

Rep: Reputation: 141Reputation: 141
Quote:
Originally Posted by Mumoto View Post
Tried this:
setfacl -Rm g:Boss:rwx: /home/Boss
setfacl -Rm g:Boss:rwx,g:Sales:rwx /home/Sales
Both commands are redundant.
  1. Since users of group Boss have already rwx permission on /home/Boss, 1st command not required
  2. You only need to give users of group Boss permission on /home/Sales, as its already rwx by group Sales
Code:
setfacl -Rm g:Boss:rwx /home/Sales

For me everything is working perfectly fine. Just check your users setting matches for the example i have mentioned.

Code:
# tail -5 /etc/passwd
spiderman:x:503:503::/home/spiderman:/bin/bash
superman:x:504:504::/home/superman:/bin/bash
tom:x:505:505::/home/tom:/bin/bash
dick:x:506:506::/home/dick:/bin/bash
harry:x:507:507::/home/harry:/bin/bash

# tail -7 /etc/group
Boss:x:6000:spiderman,superman
spiderman:x:503:
superman:x:504:
Sales:x:5000:tom,dick,harry
tom:x:505:
dick:x:506:
harry:x:507:

# ls -ld /BossDir /SalesDir
drwxrws--T. 2 nobody Boss  4096 Mar 28 20:06 /BossDir
drwxrws--T+ 2 nobody Sales 4096 Mar 28 20:55 /SalesDir

# getfacl /SalesDir
getfacl: Removing leading '/' from absolute path names
# file: SalesDir
# owner: nobody
# group: Sales
# flags: -st
user::rwx
group::rwx
group:Boss:rwx
mask::rwx
other::---
 
Old 03-28-2014, 11:18 AM   #7
Mumoto
LQ Newbie
 
Registered: Mar 2014
Posts: 7

Original Poster
Rep: Reputation: Disabled
Whenever I change something to fix one thing another breaks. It really is messing with my head at the moment as there just doesn't seem any logic at all....

Users from the same department can access/read/edit and create new files/directories within NEWLY made directories or the user-directory. But can only access existing (/home/Sales/User/Downloads).

Boss-Users can access department- and user-folders but can't access existing/new directories/files.

Last edited by Mumoto; 03-28-2014 at 11:43 AM.
 
Old 03-28-2014, 04:18 PM   #8
Mumoto
LQ Newbie
 
Registered: Mar 2014
Posts: 7

Original Poster
Rep: Reputation: Disabled
Well apparently the assignment is quite different than initially explained.

Filestructure should be like this:
/home/username
/home/Department/Department1
/home/Department/Department2

Users from the same department should be able to access/edit/view/execute files in the same Department-folder.

Something isn't proper yet:
If I login as Employee1 and create a folder in /home/Department/Department2/ and create a file within there non-owners are able to delete the file. How can I change this?

Last edited by Mumoto; 03-28-2014 at 06:08 PM.
 
Old 03-29-2014, 01:13 AM   #9
mddnix
Member
 
Registered: Mar 2013
Distribution: Redhat, Ubuntu
Posts: 525

Rep: Reputation: 141Reputation: 141
It turns-out, setgid for acl are applied differently. just replace setfacl in post #2 with the following. Everything will work just fine.
Code:
# setfacl -m g:Boss:rwx,d:g:Boss:rwx /SalesDir/
You can apply the same logic for the problem in post #8. Just make sure there is read and execute bit set to parent folder so that it can be listed and entered into by other groups.

group writable web folders with setgid and ACL
 
Old 03-30-2014, 03:39 PM   #10
Mumoto
LQ Newbie
 
Registered: Mar 2014
Posts: 7

Original Poster
Rep: Reputation: Disabled
How can I create a shortcut on the desktop to /home/Department for every new user(at logon)?
 
Old 04-01-2014, 05:20 PM   #11
Mumoto
LQ Newbie
 
Registered: Mar 2014
Posts: 7

Original Poster
Rep: Reputation: Disabled
For some reason the 'sticky'-part only works for the original department folder but not for newly made folders inside it unless I execute the commands again which is not really what I'm looking for.

I saw something about having to enable 'acl' by adding a line in /etc/fstab next to the fileshare. I did but doesn't seem to work either.

Commands in order:


Code:
groupadd Sales

mkdir /home/Departments
mkdir /home/Departments/Sales

newusers users.txt

chmod -R 1770 /home/Departments/Sales
chmod -R +t /home/Departments/Sales

chown :Sales /home/Departments/Sales

setfacl -dRm g:Sales:rwx /home/Departments/Sales
 
Old 04-02-2014, 04:35 AM   #12
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,374

Rep: Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383
Quote:
Filesystems created post-install will not have ACLs active by default. This feature can be set with
tune2fs -o
[root@stationX ~]# tune2fs -l /dev/sda5 | grep options
Default mount options: (none)
[root@stationX ~]# tune2fs /dev/sda5 -o acl
tune2fs 1.39 (29-May-2006)
[root@stationX ~]# tune2fs -l /dev/sda5 | grep options
Default mount options: acl
Actually it depends on the OS & version, but the above may help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
centos guest shows shared folder empty pouya7525 Linux - Virtualization and Cloud 3 09-16-2012 05:58 AM
Shared Folder Permissions seemashaikh Linux - Newbie 6 06-28-2009 03:42 AM
Shared folder permissions cvzyl Linux - Software 1 07-30-2006 09:43 AM
Samba Public shared Folder will not hold permissions xzerros Linux - Networking 12 09-26-2005 09:25 AM
shared folder permissions for SFTP jawilson Linux - Networking 1 07-07-2005 02:42 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:00 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration