LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 03-15-2009, 08:45 AM   #1
Klausmedk
LQ Newbie
 
Registered: Mar 2009
Location: Denmark
Posts: 11

Rep: Reputation: 0
Basic Samba+ACL set-up doesn't work


Hello!

I'm running samba 3.2.3 on my Ubuntu 8.10 server installation.

I'm trying to use ACL in order to get extended user permission administration, but cannot make it work.

My samba shares are on a ext3 partition, and i have enabled ACL in fstab. setting and getting ACL permissions on my files directly works like a charm.

But when my users try to access files via samba they cannot access their files even though ACL permissions on the files are set to give them full access.

first of all how can I check wheter ACL is indeed enabled in my samba installation?
"smbd -b | grep -i acl" yields:

HAVE_SYS_ACL_H
HAVE_ACL_LIBACL_H
HAVE_POSIX_ACLS
pdb_ldap pdb_smbpasswd pdb_tdbsam rpc_lsarpc rpc_winreg rpc_initshutdown rpc_dssetup rpc_wkssvc rpc_svcctl2 rpc_ntsvcs2 rpc_netlogon rpc_netdfs rp
c_srvsvc rpc_spoolss rpc_eventlog2 rpc_samr idmap_ldap idmap_tdb idmap_passdb idmap_nss nss_info_template auth_sam auth_unix auth_winbind auth_server
auth_domain auth_builtin vfs_default vfs_posixacl

Is that ok?
My server is nowhere near a domain in any way.
I've tried any combinations of the following settings on my shares without success:

nt acl support = yes
inherit acls = yes
acl map full control = yes

Am I missing some additional settings to enable ACL on my shares?
Normal samba access works fine...e.g. by specifying "valid users = xxx,yyy" in my samba config. But I expect that this setting is not required if i wish to simply make samba obey ACL permissions?

Regards
//Klaus
 
Old 03-16-2009, 06:31 PM   #2
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Please post the definition for the share. Also post the permissions used to create the directory you are sharing.

Is this a share that more than one user can access? If so you want to use the permissions created with "chmod a=rwxt <directory>". If users can't access their own files either they aren't authenticated and the ownership of the file is "guest" in windows and "nobody" in linux, or permissions are denied because "others" don't have rwx access. The "t" bit is the sticky bit which prevents one user from deleting another user's file. Deleting a file modifies the directory & not the file itself, which is why the sticky bit on directories is used to protect the files in the directory.
 
Old 03-17-2009, 08:53 AM   #3
Klausmedk
LQ Newbie
 
Registered: Mar 2009
Location: Denmark
Posts: 11

Original Poster
Rep: Reputation: 0
he permissions on the shared folder are:

khj@NAS:/shares$ getfacl pictures/
# file: pictures/
# owner: khj
# group: sambashare
user::rwx
user:rmj:rwx
group::rwx
mask::rwx
other::---
default:user::rwx
default:user:rmj:rwx
default:group::rwx
default:mask::rwx
defaultther::---

the share is configured the following way in smd.conf

[pictures]
path = /shares/pictures
comment = pictures
read only = no
valid users = rmj,khj
create mask = 0660
directory mask = 0770
force create mode = 0660
force directory mode = 0770
nt acl support = yes
inherit acls = yes
acl map full control = yes

The user rmj can see and access the share itself.
I have a test file inside the share (the test user rmj, is not a member of the group to which the test file belongs).

If i configure the test file with u:rmj:rwx and read only = yes in smb.conf the rmj user cannot alter the file.
If i remove the ACL permissions for the user rmj but have read only = no in smb.conf the rmj user CAN alter the file.

So it seems that the ACL permissions have no effect, only "read only" in smb.conf is respected by samba.

regards
Klaus
 
Old 03-17-2009, 10:12 PM   #4
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
I played around with setacl because I hadn't used the -d option much before.

Running "setfacl -d --set=u:testuser:rwx /logs" didn't allow testuser to write a file in /logs.
I created it as a test with jschiwal.jschiwal ownership and rwxrwxr-x permissions.
I found that I needed to also use:
setfacl -m u:testuser:rwx /logs
to give the "testuser" user permission to write to the directory. In other words, the default acl will tack on permissions to files created in the directory, but you need to explicitly use "setfacl -m u:<user>:<permissions>" on the directory to allow write permissions to another user.

One other thing. Make sure that the second user has read/execute access to the /share/ directory to be able to access the /share/pictures/ directory. You may want to create the /share/ directory with the same permissions as any system directory, e.g. root.root ownership with rwxrwxr-x permissions.

---
You might want to consider using either a=rwxt permissions on the /share/pictures directory and use samba controls to control who can write to the directory. Then each user can determine whether another user can write to a file.

Another thing to consider is using ug=rwx permissions, and "setfacl --set=u:rmj:rwx /share/pictures" so that each of the two users has access to the directory. Setting rmj as the default user will mean any file created by khj will have rmj's permissions added on but not vice-versa.

In my example, if a created a file as user jschiwal, testuser would have facl permissions added. If testuser creates the file, only testuser has permissions on the file. The owner of the directory only has delete permissions on the file (editing in a read/delete/write cycle may seem like write permissions but aren't).

Last edited by jschiwal; 03-17-2009 at 10:24 PM.
 
Old 03-18-2009, 06:51 AM   #5
Klausmedk
LQ Newbie
 
Registered: Mar 2009
Location: Denmark
Posts: 11

Original Poster
Rep: Reputation: 0
Thank you for the response.

I have had some of the same considerations as you mention.

Quote:
Running "setfacl -d --set=u:testuser:rwx /logs" didn't allow testuser to write a file in /logs.
I created it as a test with jschiwal.jschiwal ownership and rwxrwxr-x permissions.
I found that I needed to also use:
setfacl -m u:testuser:rwx /logs
As you can see my testuser rmj does have both default rwx permissions (default:user:rmj:rwx) as well as explicit user rwx permissions (user:rmj:rwx) to the /shares/pictures dir.

Quote:
One other thing. Make sure that the second user has read/execute access to the /share/ directory to be able to access the /share/pictures/ directory. You may want to create the /share/ directory with the same permissions as any system directory, e.g. root.root ownership with rwxrwxr-x permissions
The /shares directory have permissions rwxrwxr-x with user and group set to root.

Quote:
You might want to consider using either a=rwxt permissions on the /share/pictures directory and use samba controls to control who can write to the directory. Then each user can determine whether another user can write to a file.
For me setting a=rwxt and then using samba to control access is not a good idea as my users can also login to the server via ssh and manipulate the files that way.

Quote:
Another thing to consider is using ug=rwx permissions, and "setfacl --set=u:rmj:rwx /share/pictures" so that each of the two users has access to the directory. Setting rmj as the default user will mean any file created by khj will have rmj's permissions added on but not vice-versa.
I know how default acl permissions work. And that is exactly the way i want it to work. If I choose to grant a user access to a share i wish these permissions to be effective on all current and future files in that share. I achive this by setting the default acl permissions on directories in the share as well as add the specific users rights to all current files in the share.
So on a system level i think i know how acl permissions work, I simply cannot make samba "obey" these acl permissions.

regards
Klaus
 
Old 03-19-2009, 05:03 PM   #6
Klausmedk
LQ Newbie
 
Registered: Mar 2009
Location: Denmark
Posts: 11

Original Poster
Rep: Reputation: 0
I've been digging a little deeper.

My set-up is:
share directory /shares/pictures
test file /shares/pictures/myfile

"nt acl support = yes" on the share for /shares/pictures

If I grant a user acl permissions directly on the file it has no impact what so ever.
But if I grant the user acl permissions to the /shares/pictures directory i can control access....also for the file

Examples
u:xxx:rwx on /shares/pictures mean that the user can read and change the file /shares/pictures/myfile disregarding the permissions on myfile

u:xxx:r-x on /shares/pictures mean that the user can read but not change the file /shares/pictures/myfile disregarding the permissions on myfile

u:xxx:--- on /shares/pictures mean that the user cannot access the directory

Is that simply the way ACLs in samba works or is something completely wrong with me or my system. I would expect to be able to control access wiith ACL on a file level not on a share/directory level.

Regards
Klaus
 
Old 03-20-2009, 12:22 AM   #7
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Quote:
For me setting a=rwxt and then using samba to control access is not a good idea as my users can also login to the server via ssh and manipulate the files that way.
If you want to have a directory that all users can access, this is how it is usually done for writable/global directories. I would recommend using "AllowUsers" in /etc/ssh/sshd_config in any event. Only the user or users listed will be able to log into ssh then. This will also deny system user log in attempts, which is what script kiddies try. If you want two particular users out of many to have access to this directory, a normal control mechanism is using groups. If you have other users, then perhaps you are right and allowing "other" access wouldn't be a good idea. For a globally writable directory (or share), such as /tmp, those are the permissions you want.

As an aside, shares meant for mass storage probably should be mounted on their own partition and the "noexec", "nodev" options should be used. This only stops a little, but is standard practice. Especially if a user mistakenly (or stupidly on purpose) has the current directory in their path. Another evil user could in this case create an evil "ls" or "cd" wrapper which
good user might run while in the directory.

---

Could you post the permissions from "ls -l" and getfacl. At first the directory was owned by khj, and now by root. I'd like to get the correct current infomation.

Also the permissions of the /shares directory. If shares is root.root & rwxrwx---, then a user may not get access to files inside /shares/pictures/ regardless of the permissions of the files.

---

Try to verify that each user, kjh & rmj can access files as you want on the server directly before looking at Samba.

---
If you post back, for convenience, please post results inside code blocks to make them more readable, and disable smilies. Thanks.

Last edited by jschiwal; 03-20-2009 at 12:29 AM.
 
Old 03-21-2009, 03:56 PM   #8
Klausmedk
LQ Newbie
 
Registered: Mar 2009
Location: Denmark
Posts: 11

Original Poster
Rep: Reputation: 0
Thumbs up

ahhhhh...noob alert!

I finally solved it. Your comment below triggered me to start from scratch:

Quote:
Try to verify that each user, kjh & rmj can access files as you want on the server directly before looking at Samba.
I started playing with permissions on both the directory and the file.

The thing that I had missed is that rwx permissions on the dir gives the user permissions to rename files they do not own or have permissions for.

Whenever I tested various file permissions i tested it by renaming the test file, which every time went ok because the test user had rwx permissions on the directory. What i did not try was simply reading/executing the file.

So everything is OK after all. I guess I just have to read up on some of the basic linux file permission stuff.

Thank you jschiwal for keeping the good advice coming.

Regards
Klaus
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] set ACL recursively on a directory ?? vikas027 Other *NIX 4 08-30-2008 05:41 AM
Samba ACL issues garnser Linux - Security 1 07-17-2007 11:00 PM
set time acl and custom message squid cgelectek Linux - Software 1 06-25-2005 11:17 AM
NT ACL Samba Share ateh Linux - General 4 10-18-2004 12:43 PM
Samba + Acl theDrix Linux - General 0 10-18-2004 12:29 PM


All times are GMT -5. The time now is 04:54 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration