Trying to get permissions correct with Samba and SSH
I created a directory: /share
/share is being shared at my office with people in the "accounting" group vis Samba. In the smb.conf file, I put create mask = 0770 and directory mask = 0770 FIne and Dandy! When users using Windows create and move files around, everyone in the Accounting group has permissions to the newly created folders and files. I also want some users to be able to access this /share folder via ssh/sftp. I set up the respective users to have their home directory set to /share so that is the first place they are taken to when they SSH/SFTP in. The problem is that once they create folders or files, the permissions to the newly created files and folders are 750 RWXR-X---. This means that the group "accounting" cannot modify or delete these files. How do I have it so that files and folders will automatically be 770 (RWXRWX---) when a user modifies and creates folders via SSH/SFTP? Otherwise, I have to keep executing as root 'chmod -R 770 /share' and that is pretty annoying. |
chgrp -R accounting /share
this could do it. |
Quote:
Is this something I am supposed edit in the /etc/fstab? |
You can achive this using ACLs. If your kernel has ACL support built in for your particular type of filesystem, mount the necessary partition with he acl option.
mount -o remount,acl /share Set the share folder with SGID and permission 770: chmod 2770 /share Set the ACL permissions for the group and others: setfacl -m d:g:accounting:rwx /share setfacl -m d: o::--- /share Files will now be created as rw-rw---- and directories as rwxrwx--- |
Thanks for the detailed post! It does, however, get a little more complicated. I failed to mention that within this /share folder, there are other subdirectories that each need to have their own permissions. Example, /share/accounting (accounting group), /share/design (designing group), /share/hr (human resources group), etc...
Can I specify the permissions with the ACL for each of those directories? My filesystem is ext3 and it has ACL support (Kubuntu 6.06). Lastly, if I do this on the current partition, will I lose my important data files messing around with this ACL settings? |
Yes you may specify different group permissions for different groups using ACL. You can check the effective permissions for all groups with the getfacl command.
setfacl -m d:g:group1:rx /share/subfolder setfacl -m d:g:group2:rwx /share/subfolder getfacl /share/subfolder There is no chance that you will lose data applying ACLs. It will only affect metadata. |
Quote:
In general read about umask and/or lumask for SFTP. Disclaimer: Theory only have not tested what I wrote. ppd |
Thanks SlackDaemon and PDock. The ACL works, and so does the umask trick in the .bash_profile file.
The only problem is that I am having remote users connect with a commercial software called SecureShell for Windows. For some reason, it ignores umask, lumask, and the ACL that I create. This is okay as there is an option in the SSH SecureShell program to force permissions that I want. I guess the program just doesn't give a damn about local profiles and settings in Linux. I did, however, learn about ACL's and umasks! Very helpful. Thank you very much! |
All times are GMT -5. The time now is 09:49 PM. |