Samba and *nix permissions
 

Hi there,

I have a Trustix email server and I would like back that email up to our tape drive, which is running on a Windows 2003 Server system. Right now, all users "Leave mail on Server," so there is a lot of data there. The company I need to do this for is a small financial broker and SEC requirements have given us the ... ah ... prod to do this.

Samba has, more or less, been configured on the system. It is not actually running, nor does it comes up at bootup. Thanks to some help elsewhere, I know what to do to make that happen.

But...

One of the things I'm not sure how to do to how to give the Windows 2003 Server machine access to the Mails.

I _think_ what I need to do is take one of the existing users, elevate his access priveledges and/or give him access (read only) to /home/users/. I would map the drive to the Windows box, then have it perform the backup according to a schedule.

The thing is: I don't know how to read the permissions on the files and folders and determine what I need to do to that account. Furthermore, I don't know how to read the user's current privileges.

I'd like some beginner pointers. What can I start looking at to determine what I need to do? Any help is appreciated!!

m

More info:

There is an account called "ham" that currently "owns" /home/shared/

There is a line in smb.conf that reads:

Couldn't I give 'ham' elevated privileges? Couldn't I, for instance, elevate 'ham' to the root group. Wouldn't that allow 'ham' the ability to read files in /home/users and all the sub-folders therein?

m

what is the output of

ls -l /home/users

Does anyone else need access to /home/users?

If not, I would have thought that

chown ham:office /home/users

would do the trick (or am I missing something here)

Edit - I don't know if anyone else sees a face on my post, but I do. the chown line should read ham followed by a colon followed by office (no spaces)

If you only give ham read access, how does the backup work?

Don't know if I totally missinterpreted your question, so please ignore if I did, but here's the interpretation of the line you posted above

drwsrwsr-x 3 ham office 4096 Aug 11 2005 shared/

The "d" tells us it's a directory

the next 3 characters tell us what the owner can do (in this case read, write or execute (as user))

the next 3 characters tell us what members of the same group can do (ditto)

the final 3 tell us what anyone can do (read (the dash means can't write) or execute.

Note than the order will always be the sand - read, write execut with dashes where the right isn't given.

Have a look at the following link.

http://www.comptechdoc.org/os/linux/..._ugfilesp.html

Also, the command to change these is chmod. Have a look at man chmod.

Rgds


Bill

Well, I just need an account to able to to copy the files to another location on a different system. Wouldn't that be read-only access? I don't need ham or the Windows system to be able to write to any of those directories.

As for ls -l on /home users:

I did obscure all usernames 'cept for "ham"

Also: There is a group called "ham" as well.

So, it looks like only the OWNERS have permissions to do anything with those directories. Although ROOT can see everything. I'm not sure why that is... I realize that root has more access in general, but I don't understand how to notch someone up so that they can see more. Is it a matter of, say, figuring out the group ID and giving ham membership to one group higher than the group listed above? So, for instance, I give 'ham' membership to the group that's one notch above the 'ham' group? Would that do it?

Also: I don't want to change anything that would make the directories readable by other users. I don't want to make a change so that, say, user8, can suddenly see the contents of user7's home directory. make sense?

You don't want to give anyone else root's power, take that as given.

What I think is probably easiest is to make sure ham is a member of each user's group

usermod -G user1, user2, ..., usern ham

allow group access to the directories

chmod g+w,g+r,g+x /home/user1

etc.

and in smb.conf make your folder definitions look something like

[user1]
comment = User 1's area
writeable = yes
create mode = 775
path = /home/user1
directory mode = 775

What this all does is puts the and ham in the same group as each user (a user can be a member of many groups - note the capital G in usermod!), lets the group read/write and execute these directories (you certainly need write access, because that's what you're doing when you back up to it - or did I miss the point again?), and set Samba to maintain these permissions when things get created.

Each user is only a member of their own group, so can't see other user's directories.


I think this meets your requirements

Thank you. This is pretty cool.

A couple of follow up questions, please.

1. What if all the users are part of one group? As soon as I turned on group rwx, wouldn't that allow other members of the group access to those other directories?

2. How do I find out what groups exists and what groups a particular user belongs to?

1. If they are all in the same group and you set the group privileged to wrx, then they will all be able to read and write each others directories. I think you said this is what you didn't want.

2. I'm sure there's something in whatever GUI you use (I don't), but have a look under system settings, users and groups, or something like that. There are a couple of files unde /etc that should help. passwd lists all the users (but not their group), and group lists all the groups and all the members of that group (see man group). SLightly the wrong way for what you want, but I don't think there's a textual system list of users and their groups.

Rgds

Hi there,

This is why I'm asking.

You said:

So, if all users are members of the HAM group -- which they are, by the way, I checked -- then I open up group rwx, wouldn't that mean that ALL users in that group, including my HAM user, would be able to view each others Maildirs?

I'm wondering if a better way would be to:

1. Create a new group.
2. Change group on the users' directories to the new group.
3. Set group access to RWX for all users folders.
4. Make HAM a member of the new group.

Wouldn't that give HAM access to all the user directories and still keep the other users out of each others directories because they're not a member of the new group? Also, since they remain the OWNER of their own directories, they're own access to the directories would not change.

Am I right here?

Just a small bump in case someone else can answer...

Sorry tcv, I thought I answered this (in fact I know I did, but I guess I hit the back button by mistake.)

In short, I think what you're suggesting works fine. I'm not sure if it's unauthodox to have the group one that the user isn't a member of, but I can't see why.

Try it and see. Otherwise, I'd suggest you start a new thread if you want some fresh eyes.


Rgds


Bill

ps - I won't say your solution looks more elegant than mine. Egos you know.

Edit - tcv, if you repost, don't put it in linux-newbies, try linux-general

Hi Bill, thanks for writing again!

I'm not concerned about elegance. In fact, I am SURE your solution is more elegant. I just want to be sure that your solution wouldn't unnecessarily open up the possibility that another user can peek into another user's folder. If every user is part of the same group, and I open up group access, then it seems to me that all users will be able to view all the other users directories.

Am I right?

I can try it, though, without compromising anything...

tcv, I just had a quick play. I think the issue is how to ensure that if user1 creates a file in /home/user1, that it's group is your new group. By default, the file will be created as owned by user1 of group user1. I'm not sure how you change this behaviour, if in fact you can.

A simple solution to your overall problem (I just re-read your post) could be to create a cron job to run as root that backs up the users' directories to, say /home/shared and let the Windows Server 2003 machine have read access for backups. Something like tar will work well for this. Only ham and the Windows machine would need read access to this directory.


Rgds


Bill

It worked.

The only thing I got confused on was that when I change the account ham's group affiliation, I expected a change to be visible in /etc/passwd since there is an entry for a group there, but I only saw one in /etc/group

m

{Edit: Ahhh... that is a good way to do, Bill.}