Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a Trustix email server and I would like back that email up to our tape drive, which is running on a Windows 2003 Server system. Right now, all users "Leave mail on Server," so there is a lot of data there. The company I need to do this for is a small financial broker and SEC requirements have given us the ... ah ... prod to do this.
Samba has, more or less, been configured on the system. It is not actually running, nor does it comes up at bootup. Thanks to some help elsewhere, I know what to do to make that happen.
But...
One of the things I'm not sure how to do to how to give the Windows 2003 Server machine access to the Mails.
I _think_ what I need to do is take one of the existing users, elevate his access priveledges and/or give him access (read only) to /home/users/. I would map the drive to the Windows box, then have it perform the backup according to a schedule.
The thing is: I don't know how to read the permissions on the files and folders and determine what I need to do to that account. Furthermore, I don't know how to read the user's current privileges.
I'd like some beginner pointers. What can I start looking at to determine what I need to do? Any help is appreciated!!
There is an account called "ham" that currently "owns" /home/shared/
Code:
drwsrwsr-x 3 ham office 4096 Aug 11 2005 shared/
There is a line in smb.conf that reads:
Code:
force user = ham
Couldn't I give 'ham' elevated privileges? Couldn't I, for instance, elevate 'ham' to the root group. Wouldn't that allow 'ham' the ability to read files in /home/users and all the sub-folders therein?
Well, I just need an account to able to to copy the files to another location on a different system. Wouldn't that be read-only access? I don't need ham or the Windows system to be able to write to any of those directories.
As for ls -l on /home users:
Code:
drwx-----x 4 user1 ham 4096 Jan 12 2005 user1/
drwx-----x 3 ham users 4096 Sep 7 2004 ham/
drwx-----x 3 user2 ham 4096 Sep 20 2004 user2/
drwx-----x 3 user3 ham 4096 Sep 20 2004 user3/
drwx-----x 4 user4 ham 4096 Nov 10 2004 user4/
drwx-----x 3 user5 ham 4096 Sep 21 2004 user5/
drwx-----x 3 user6 ham 4096 Mar 22 22:54 user6/
drwx-----x 3 user7 users 4096 Apr 7 21:41 user7/
drwx-----x 5 user8 users 4096 Mar 22 23:07 user8/
I did obscure all usernames 'cept for "ham"
Also: There is a group called "ham" as well.
So, it looks like only the OWNERS have permissions to do anything with those directories. Although ROOT can see everything. I'm not sure why that is... I realize that root has more access in general, but I don't understand how to notch someone up so that they can see more. Is it a matter of, say, figuring out the group ID and giving ham membership to one group higher than the group listed above? So, for instance, I give 'ham' membership to the group that's one notch above the 'ham' group? Would that do it?
Also: I don't want to change anything that would make the directories readable by other users. I don't want to make a change so that, say, user8, can suddenly see the contents of user7's home directory. make sense?
You don't want to give anyone else root's power, take that as given.
What I think is probably easiest is to make sure ham is a member of each user's group
usermod -G user1, user2, ..., usern ham
allow group access to the directories
chmod g+w,g+r,g+x /home/user1
etc.
and in smb.conf make your folder definitions look something like
[user1]
comment = User 1's area
writeable = yes
create mode = 775
path = /home/user1
directory mode = 775
What this all does is puts the and ham in the same group as each user (a user can be a member of many groups - note the capital G in usermod!), lets the group read/write and execute these directories (you certainly need write access, because that's what you're doing when you back up to it - or did I miss the point again?), and set Samba to maintain these permissions when things get created.
Each user is only a member of their own group, so can't see other user's directories.
I think this meets your requirements
Last edited by billymayday; 07-22-2006 at 09:38 PM.
1. What if all the users are part of one group? As soon as I turned on group rwx, wouldn't that allow other members of the group access to those other directories?
2. How do I find out what groups exists and what groups a particular user belongs to?
1. If they are all in the same group and you set the group privileged to wrx, then they will all be able to read and write each others directories. I think you said this is what you didn't want.
2. I'm sure there's something in whatever GUI you use (I don't), but have a look under system settings, users and groups, or something like that. There are a couple of files unde /etc that should help. passwd lists all the users (but not their group), and group lists all the groups and all the members of that group (see man group). SLightly the wrong way for what you want, but I don't think there's a textual system list of users and their groups.
What I think is probably easiest is to make sure ham is a member of each user's group
So, if all users are members of the HAM group -- which they are, by the way, I checked -- then I open up group rwx, wouldn't that mean that ALL users in that group, including my HAM user, would be able to view each others Maildirs?
I'm wondering if a better way would be to:
1. Create a new group.
2. Change group on the users' directories to the new group.
3. Set group access to RWX for all users folders.
4. Make HAM a member of the new group.
Wouldn't that give HAM access to all the user directories and still keep the other users out of each others directories because they're not a member of the new group? Also, since they remain the OWNER of their own directories, they're own access to the directories would not change.
Sorry tcv, I thought I answered this (in fact I know I did, but I guess I hit the back button by mistake.)
In short, I think what you're suggesting works fine. I'm not sure if it's unauthodox to have the group one that the user isn't a member of, but I can't see why.
Try it and see. Otherwise, I'd suggest you start a new thread if you want some fresh eyes.
Rgds
Bill
ps - I won't say your solution looks more elegant than mine. Egos you know.
Edit - tcv, if you repost, don't put it in linux-newbies, try linux-general
Last edited by billymayday; 07-25-2006 at 05:28 AM.
I'm not concerned about elegance. In fact, I am SURE your solution is more elegant. I just want to be sure that your solution wouldn't unnecessarily open up the possibility that another user can peek into another user's folder. If every user is part of the same group, and I open up group access, then it seems to me that all users will be able to view all the other users directories.
Am I right?
I can try it, though, without compromising anything...
tcv, I just had a quick play. I think the issue is how to ensure that if user1 creates a file in /home/user1, that it's group is your new group. By default, the file will be created as owned by user1 of group user1. I'm not sure how you change this behaviour, if in fact you can.
A simple solution to your overall problem (I just re-read your post) could be to create a cron job to run as root that backs up the users' directories to, say /home/shared and let the Windows Server 2003 machine have read access for backups. Something like tar will work well for this. Only ham and the Windows machine would need read access to this directory.
The only thing I got confused on was that when I change the account ham's group affiliation, I expected a change to be visible in /etc/passwd since there is an entry for a group there, but I only saw one in /etc/group
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.