LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 11-10-2010, 07:25 AM   #1
fdelval
Member
 
Registered: Feb 2010
Posts: 107

Rep: Reputation: 15
samba shares permissions as flexible as 2003server shares?


Hello, im trying to master linux permissions.

Right now, i need so much flexibility managing my new samba shares.

Imagine 2 departments in a company:
administration (anne, jessica)
desing (robert, july)

Ok, both administration and desing are 2 groups with those users.


In my 2003server shares, i can add as much groups as i need, and also users. Each object can have different privileges and affect different folders.

Lets take a look at this scheme:

---10 folders with administration documents

administration (can read and write over those 10 folders)
design (can only read those 10 folders)
robert (despite being a designer, he should read and write one of those 10 folders, the one about purchasing materials)

Studying linux permissions, i can only add 2 objetcs, one is "group", the other is "others" (let root aside)
which means:

administration group (administration can read and write )
others group (design can only read those 10 folders)
??and robert?? he needs to write over one administration folder!


Is there any workaround?
 
Old 11-10-2010, 07:46 AM   #2
stress_junkie
Senior Member
 
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873

Rep: Reputation: 331Reputation: 331Reputation: 331Reputation: 331
Is it me or does this sound like a take-home test? Whatever.

Linux permissions include something called extended attributes. If you mount the file system to allow extended attributes then you can create access control lists just like in Windows. If you understand ACLs in Windows then you can set up a similar security environment in Linux.
Quote:
$ man -k acl
acl (5) - Access Control Lists
chacl (1) - change the access control list of a file or directory
getfacl (1) - get file access control lists
setfacl (1) - set file access control lists
smbcacls (1) - Set or get ACLs on an NT file or directory names
Samba share permissions can also add to the security environment but Linux file permissions take precedence over Samba permissions.

Last edited by stress_junkie; 11-10-2010 at 07:57 AM.
 
Old 11-10-2010, 08:00 AM   #3
fdelval
Member
 
Registered: Feb 2010
Posts: 107

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by stress_junkie View Post
Is it me or does this sound like a take-home test? Whatever.

Linux permissions include something called extended attributes. If you mount the file system to allow extended attributes then you can create access control lists just like in Windows. If you understand ACLs in Windows then you can set up a similar security environment in Linux.


Samba share permissions can also add to the security environment but Linux file permissions take precedence over Samba permissions.


ok, im trying
what is take-home?
 
Old 11-10-2010, 08:10 AM   #4
cantab
Member
 
Registered: Oct 2009
Location: England
Distribution: *buntu, Vector
Posts: 499

Rep: Reputation: 102Reputation: 102
A homework problem.

Indeed, it looks like traditional Unix file permissions won't do what you want. Fortunately, modern Unix systems give you ACLs. As is often the way in the Linux world, you have a choice, unlike in Windows where ACLs are the only option even for the simplest setup.

Last edited by cantab; 11-10-2010 at 08:14 AM.
 
Old 11-23-2010, 08:02 AM   #5
fdelval
Member
 
Registered: Feb 2010
Posts: 107

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by cantab View Post
A homework problem.

Indeed, it looks like traditional Unix file permissions won't do what you want. Fortunately, modern Unix systems give you ACLs. As is often the way in the Linux world, you have a choice, unlike in Windows where ACLs are the only option even for the simplest setup.


and what about VALID USERS // VALID GROUPS // INVALID USERS policies inside samba config file??
 
Old 11-23-2010, 08:29 AM   #6
stress_junkie
Senior Member
 
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873

Rep: Reputation: 331Reputation: 331Reputation: 331Reputation: 331
I have found that when people start to use access control lists they tend to make too many entries in those lists. One way to keep access control lists simple and easy to support is to identify the types of access required to a given share or directory. Instead of creating a new access control list entry for each person your should create a user group for each type of access, then you can put user accounts into those groups to match their job requirements.

For example most shares will need three types of access control: read + write, read only, and no access. So create a group for read + write and another group for read only. The requirement for no access can be satisfied by the last entry in the list which is the default when no other match has been made. That last entry is Everyone:no access.
The user group for read + write access could be called something like directory_rw.
The user group for read only access could be called something like directory_ro.

Then you create your access control list. In Windows terms it would look like this.
Administrators: full control
directory_rw: read + write
directory_ro: read
Everyone: access denied

Now you put your user accounts into the proper user group.

This type of access control is easy to configure and to support. The access control list is short and easy to understand. Problems will be easy to diagnose and easy to resolve.

Avoid long and complicated access control lists.

 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba shares/permissions Maniac0Maniac Linux - Server 2 03-02-2007 03:16 AM
Samba shares/permissions Maniac0Maniac Linux - Software 1 02-27-2007 02:36 PM
samba shares permissions asheesh.tyagi Linux - Newbie 1 06-13-2006 03:55 AM
Permissions on SAMBA shares Joelbarnard Linux - Newbie 2 05-25-2004 02:47 PM
Linux can mount samba shares but not windows shares bindsocket Linux - Software 1 12-01-2003 05:28 PM


All times are GMT -5. The time now is 09:06 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration