I've got file server Red Hat Enterprise Linux Server release 6.5 (Samba).
I use Access Control Lists for granting access for varios catalogs inside samba share.
Here config of samba share:
Code:
[Episodes]
path = /srv/resources/shares/Episodes
writeable = yes
browsable = yes
valid users = @sw_god, @SW_all
read list =.
write list = @sw_god, @SW_all
create mask = 0770
force directory mode = 0770
force group = root
Inside /srv/resources/shares/Episodes access is restricted by ACLs.
For example directory /srv/resources/shares/Episodes/Ep01/Cameras/Final has these permisions:
Code:
# file: srv/resources/shares/Episodes/Ep01/Cameras/Final
# owner: root
# group: root
user::rwx
group::r-x
group:sw_god:rwx
group:sw_all:r-x
group:sw_operator:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:sw_god:rwx
default:group:sw_all:r-x
default:group:sw_operator:rwx
default:mask::rwx
default:other::---
These permisions were set by these commands:
Code:
setfacl -b -R srv/resources/shares/Episodes/Ep01
chmod -R 750 srv/resources/shares/Episodes/Ep01
chown -R 0:0 srv/resources/shares/Episodes/Ep01
setfacl -R -m g:sw_all:rx srv/resources/shares/Episodes/Ep01
setfacl -R -d -m g:sw_all:rx srv/resources/shares/Episodes/Ep01
setfacl -R -m g:sw_god:rwx srv/resources/shares/Episodes/Ep01
setfacl -R -d -m g:sw_god:rwx srv/resources/shares/Episodes/Ep01
setfacl -R -m g:sw_operator:rwx srv/resources/shares/Episodes/Ep01/Cameras/Final
setfacl -R -d -m g:sw_operator:rwx srv/resources/shares/Episodes/Ep01/Cameras/Final
In other words group sw_all has access to read, group sw_god has aceess to read/write in whole directory Ep01
Also group sw_operator has rights to read/write in Ep01/Cameras/Final
I've got two users testuser and testuser2:
Code:
# id testuser
uid=3365(testuser) gid=3000(domain users) groups=3000(domain users),3010(sw_all),3034(sw_operator),3018,3012(BUILTIN\users)
# id testuser2
uid=3366(testuser2) gid=3000(domain users) groups=3000(domain users),3010(sw_all),3012(BUILTIN\users)
As we can see testuser consists in sw_all and sw_operator groups, testuser2 consists in group sw_all.
So in theory testuser has permisions to write in directory Episodes/Ep01/Cameras/Final and testuser2 has only permision to read.
In practice so it is. But the problem is testuser creates something in Episodes/Ep01/Cameras/Final, for example Episodes/Ep01/Cameras/Final/test
After than testuser2 can write anything in directory Episodes/Ep01/Cameras/Final/test, but can't in Episodes/Ep01/Cameras/Final
Why testuser2 has permisions to write in directory Episodes/Ep01/Cameras/Final/test ?
Permission:
Code:
[root@]# getfacl /srv/resources/shares/Episodes/Ep01/Cameras/Final
# file: srv/resources/shares/Episodes/Ep01/Cameras/Final
# owner: root
# group: root
user::rwx
group::r-x
group:sw_god:rwx
group:sw_all:r-x
group:sw_operator:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:sw_god:rwx
default:group:sw_all:r-x
default:group:sw_operator:rwx
default:mask::rwx
default:other::---
[root@]# getfacl /srv/resources/shares/Episodes/Ep01/Cameras/Final/test/
# file: srv/resources/shares/Episodes/Ep01/Cameras/Final/test/
# owner: testuser
# group: root
user::rwx
group::rwx
group:sw_god:rwx
group:sw_all:r-x
group:sw_operator:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::r-x
default:group:sw_god:rwx
default:group:sw_all:r-x
default:group:sw_operator:rwx
default:mask::rwx
default:other::---