Trying to get permissions correct with Samba and SSH
 

I created a directory: /share

/share is being shared at my office with people in the "accounting" group vis Samba.
In the smb.conf file, I put create mask = 0770 and directory mask = 0770
FIne and Dandy! When users using Windows create and move files around, everyone in the Accounting group has permissions to the newly created folders and files.

I also want some users to be able to access this /share folder via ssh/sftp. I set up the respective users to have their home directory set to /share so that is the first place they are taken to when they SSH/SFTP in. The problem is that once they create folders or files, the permissions to the newly created files and folders are 750 RWXR-X---. This means that the group "accounting" cannot modify or delete these files. How do I have it so that files and folders will automatically be 770 (RWXRWX---) when a user modifies and creates folders via SSH/SFTP? Otherwise, I have to keep executing as root 'chmod -R 770 /share' and that is pretty annoying.

chgrp -R accounting /share
this could do it.

The thing is that this is effective at the moment. I would have to keep executing chgrp -R accounting /share when a user modifies or creates a new folder, and that would not be practical. I tested it and when I SSH and create a folder, it creates the folder, but gives it an automatic permission of RWXR-X---. This is not good. I need it to be RWXRWX--- so that all users in the accounting group can read, write, and execute

Is this something I am supposed edit in the /etc/fstab?

You can achive this using ACLs. If your kernel has ACL support built in for your particular type of filesystem, mount the necessary partition with he acl option.

mount -o remount,acl /share

Set the share folder with SGID and permission 770:

chmod 2770 /share

Set the ACL permissions for the group and others:

setfacl -m d:g:accounting:rwx /share
setfacl -m d: o::--- /share

Files will now be created as rw-rw---- and directories as rwxrwx---

Thanks for the detailed post! It does, however, get a little more complicated. I failed to mention that within this /share folder, there are other subdirectories that each need to have their own permissions. Example, /share/accounting (accounting group), /share/design (designing group), /share/hr (human resources group), etc...

Can I specify the permissions with the ACL for each of those directories? My filesystem is ext3 and it has ACL support (Kubuntu 6.06). Lastly, if I do this on the current partition, will I lose my important data files messing around with this ACL settings?

Yes you may specify different group permissions for different groups using ACL. You can check the effective permissions for all groups with the getfacl command.

setfacl -m d:g:group1:rx /share/subfolder
setfacl -m d:g:group2:rwx /share/subfolder

getfacl /share/subfolder


There is no chance that you will lose data applying ACLs. It will only affect metadata.

Sounds like these are user accounts setup specifically for this one (SFTP) purpose. In that case try creating a .profile and setting the umask to 007.

In general read about umask and/or lumask for SFTP.
Disclaimer: Theory only have not tested what I wrote.
ppd

Thanks SlackDaemon and PDock. The ACL works, and so does the umask trick in the .bash_profile file.

The only problem is that I am having remote users connect with a commercial software called SecureShell for Windows. For some reason, it ignores umask, lumask, and the ACL that I create. This is okay as there is an option in the SSH SecureShell program to force permissions that I want. I guess the program just doesn't give a damn about local profiles and settings in Linux.

I did, however, learn about ACL's and umasks! Very helpful. Thank you very much!