Hello, im trying to master linux permissions.

Right now, i need so much flexibility managing my new samba shares.

Imagine 2 departments in a company:
administration (anne, jessica)
desing (robert, july)

Ok, both administration and desing are 2 groups with those users.


In my 2003server shares, i can add as much groups as i need, and also users. Each object can have different privileges and affect different folders.

Lets take a look at this scheme:

---10 folders with administration documents

administration (can read and write over those 10 folders)
design (can only read those 10 folders)
robert (despite being a designer, he should read and write one of those 10 folders, the one about purchasing materials)

Studying linux permissions, i can only add 2 objetcs, one is "group", the other is "others" (let root aside)
which means:

administration group (administration can read and write )
others group (design can only read those 10 folders)
??and robert?? he needs to write over one administration folder!


Is there any workaround?

Is it me or does this sound like a take-home test? Whatever.

Linux permissions include something called extended attributes. If you mount the file system to allow extended attributes then you can create access control lists just like in Windows. If you understand ACLs in Windows then you can set up a similar security environment in Linux.
Samba share permissions can also add to the security environment but Linux file permissions take precedence over Samba permissions.

ok, im trying
what is take-home?

A homework problem.

Indeed, it looks like traditional Unix file permissions won't do what you want. Fortunately, modern Unix systems give you ACLs. As is often the way in the Linux world, you have a choice, unlike in Windows where ACLs are the only option even for the simplest setup.

and what about VALID USERS // VALID GROUPS // INVALID USERS policies inside samba config file??

I have found that when people start to use access control lists they tend to make too many entries in those lists. One way to keep access control lists simple and easy to support is to identify the types of access required to a given share or directory. Instead of creating a new access control list entry for each person your should create a user group for each type of access, then you can put user accounts into those groups to match their job requirements.

For example most shares will need three types of access control: read + write, read only, and no access. So create a group for read + write and another group for read only. The requirement for no access can be satisfied by the last entry in the list which is the default when no other match has been made. That last entry is Everyone:no access.
The user group for read + write access could be called something like directory_rw.
The user group for read only access could be called something like directory_ro.

Then you create your access control list. In Windows terms it would look like this.
Administrators: full control
directory_rw: read + write
directory_ro: read
Everyone: access denied

Now you put your user accounts into the proper user group.

This type of access control is easy to configure and to support. The access control list is short and easy to understand. Problems will be easy to diagnose and easy to resolve.

Avoid long and complicated access control lists.