LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-14-2010, 09:49 PM   #1
unassassinable
Member
 
Registered: Sep 2010
Posts: 46

Rep: Reputation: 7
File permission question


Ok so I have a folder:

/accounting

and I have 2 groups:

accounting, accountingAdmin

I want to have all 'accountingAdmin' users have full rwx permission on anything inside /folder.

I want to have all 'accounting' users to have only r-x permission on anything inside /folder.

Lastly I want to have everyone else have --- permission on /folder. In other words, if your not in accounting or accountingAdmin groups, you cant do squat with /folder (read, write or execute).

How can I achieve this with only owner, group, and other permissions?
 
Old 10-14-2010, 09:57 PM   #2
grim76
Member
 
Registered: Jun 2007
Distribution: Debian, SLES, Ubuntu
Posts: 308

Rep: Reputation: 50
Might want to look into ACLs. You can do things similar to what you are looking for with them.
 
1 members found this post helpful.
Old 10-22-2010, 06:35 PM   #3
unassassinable
Member
 
Registered: Sep 2010
Posts: 46

Original Poster
Rep: Reputation: 7
So, I didn't think that this was pertinent to solving this issue, but I should have mentioned this is for a Samba server and Windows users. Linux ACLs don't map to Windows ACLs. I have looked through the following link:

http://www.samba.org/samba/docs/man/...html#id2614541

but this doesn't tell me (plainly) how this is done. Does anyone have a reader friendly walk through they can link me or post some steps on how this is done? If you need examples of what I am trying to accomplish I can post some.

Rich
 
Old 11-02-2010, 04:05 AM   #4
unassassinable
Member
 
Registered: Sep 2010
Posts: 46

Original Poster
Rep: Reputation: 7
I accidentally double posted...so I'm removing this post for the below post. it has more info.

Last edited by unassassinable; 11-02-2010 at 02:17 PM.
 
1 members found this post helpful.
Old 11-02-2010, 02:14 PM   #5
unassassinable
Member
 
Registered: Sep 2010
Posts: 46

Original Poster
Rep: Reputation: 7
Ok so, heres my situation and how I solved the problem for future googlers:

I have a remote directory shared over NFS called tech with perms set as 0750 and owner set to root:tech.
I have 2 groups: tech, and techAdmin. tech can read and execute within tech/. techAdmin can read, write, execute.
I have 4 users: user1, user2, user3, user4. user1 and user2 is a member of techAdmin, user3 and user4 are members of tech.

simple so far...but wait here's the problem. If user1 creates a file inside tech, user2 cant read or modify it because user1 owns it. Here's a few sites that reference this problem:

http://linux.derkeiler.com/Mailing-L...5-07/2616.html
http://www.linuxquestions.org/questi...-group-755766/
http://ubuntuforums.org/showthread.php?t=141078
http://lists.bostoncoop.net/pipermai...ay/000443.html
http://www.linuxforums.org/forum/new...ns-system.html

Trying to fix this problem i found literally HUNDREDS of these thread and this same question posted EVERYWHERE. And every answer was the same....you do it with umask. by changing EVERYONES umask in /etc/profile to 027 and create a cronjob that fixes all permissions to 0750 every minute. This is BS. I aint doing that...

Here's how to do it.

Code:
#mkdir tech
#chown root:tech tech/
#chmod g+s tech/
#chmod 0750 tech/
#setfacl -d -m g:techAdmin:rwx tech/
when you run getfacl tech, you should see:

Code:
# file: tech/
# owner: root
# group: tech
# flags: -s-
user::rwx
group::r-x
other::---
default:user::rwx
default:group::r-x
default:group:techAdmin:rwx
default:mask::rwx
default:other::---
BUT WAIT THERES MORE! This company uses Windows clients too...so we need essentially the SAME setup for them too. This can be accomplished in SAMBA. Your smb.conf file tech share should look like this:

Code:
[tech]
        comment = Tech department only
        inherit acls = Yes
        path = /mnt/tech
        guest ok = no
        browseable = yes
        create mask = 0750          #this forces all created documents to have 750 perms
        directory mask = 0750       #same for directories
        force group = tech          #this is so that all files written to the share will be set to "chgrp tech" if you dont do this only the user that created the file will have access to it.
        write list = @techAdmin     #only the group that has write privileges
        valid users = @tech
user1 and user2 can now log into Windows OR linux, create or modify existing files within the tech directory. user3 and user4 can also log into Windows OR linux, but only have read access...they cannot create, modify, delete.

Last edited by unassassinable; 11-02-2010 at 02:16 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Linux file/directory permission question cpthk General 11 09-04-2009 02:32 AM
Quick File permission question james.farrow Linux - General 4 02-15-2007 08:18 AM
File Permission Question coopns Linux - Newbie 2 06-18-2004 02:44 PM
a question about file permission tony yu Mandriva 5 04-13-2004 11:18 AM
file/directory access permission question correro Linux - General 4 05-22-2003 08:48 PM


All times are GMT -5. The time now is 08:20 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration