So, Ive been pounding my head on some File permissions in linux the last couple of days. I've found a solution that works and thought I'd share with everyone.
Ok so, heres my situation:
I have a remote directory shared over NFS called tech with perms set as 0750 and owner set to root:tech.
I have 2 groups: tech, and techAdmin. tech can read and execute within tech/. techAdmin can read, write, execute.
I have 4 users: user1, user2, user3, user4. user1 and user2 is a member of techAdmin, user3 and user4 are members of tech.
simple so far...but wait here's the problem. If user1 creates a file inside tech, user2 cant read or modify it because user1 owns it. Here's a few sites that reference this problem:
http://linux.derkeiler.com/Mailing-L...5-07/2616.html
http://forums13.itrc.hp.com/service/...readId=1147220
http://old.nabble.com/ACLs,-umask-an...d27820947.html
http://lists.freebsd.org/pipermail/f...ch/213589.html
http://www.linuxquestions.org/questi...-group-755766/
http://ubuntuforums.org/showthread.php?t=141078
http://lists.bostoncoop.net/pipermai...ay/000443.html
http://www.linuxforums.org/forum/new...ns-system.html
Trying to fix this problem i found literally HUNDREDS of these thread and this same question posted EVERYWHERE. And every answer was the same....you do it with umask. by changing EVERYONES umask in /etc/profile to 027 and create a cronjob that fixes all permissions to 0750 every minute. Changing a umask to 027 can be a dangerous thing and I would NOT recommend doing this...and seriously!?! making a crontab entry that recursively changes the perms to 0750 every 5 minutes on a multi terabyte file server This is BS. I aint doing that...
Here's how to do it.
Code:
#mkdir tech
#chown root:tech tech/
#chmod g+s tech/
#chmod 0750 tech/
#setfacl -d -m g:techAdmin:rwx tech/
#setfacl -m group:techadmin:rwx tech/ - not sure why this needed to be there as the above code I though would take care of it. if anyone knows why, please post in the comments.
when you run getfacl tech, you should see:
Code:
# linux-host># getfacl tech
#file: tech/
# owner: root
# group: tech
# flags: -s-
user::rwx
group::r-x
group:techAdmin:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:techAdmin:rwx
default:mask::rwx
default:other::---
BUT WAIT THERES MORE! This company uses Windows clients too...so we need essentially the SAME setup for them too. This can be accomplished in SAMBA. Your smb.conf file tech share should look like this:
Code:
[tech]
comment = Tech department only
inherit acls = Yes
path = /mnt/tech
guest ok = no
browseable = yes
create mask = 0750 #this forces all created documents to have 750 perms
directory mask = 0750 #same for directories
force group = tech #this is so that all files written to the share will be set to "chgrp tech" if you dont do this only the user that created the file will have access to it.
write list = @techAdmin #only the group that has write privileges
valid users = @tech
user1 and user2 can now log into Windows OR linux, create or modify existing files within the tech directory. user3 and user4 can also log into Windows OR linux, but only have read access...they cannot create, modify, delete.
I know theres room for improvement on this, and if anyone has a solution that worked for them, please share it for future googlers!
Rich
