LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   Trying to get permissions correct with Samba and SSH (https://www.linuxquestions.org/questions/linux-general-1/trying-to-get-permissions-correct-with-samba-and-ssh-482967/)

Micro420 09-13-2006 12:53 AM

Trying to get permissions correct with Samba and SSH
 
I created a directory: /share

/share is being shared at my office with people in the "accounting" group vis Samba.
In the smb.conf file, I put create mask = 0770 and directory mask = 0770
FIne and Dandy! When users using Windows create and move files around, everyone in the Accounting group has permissions to the newly created folders and files.

I also want some users to be able to access this /share folder via ssh/sftp. I set up the respective users to have their home directory set to /share so that is the first place they are taken to when they SSH/SFTP in. The problem is that once they create folders or files, the permissions to the newly created files and folders are 750 RWXR-X---. This means that the group "accounting" cannot modify or delete these files. How do I have it so that files and folders will automatically be 770 (RWXRWX---) when a user modifies and creates folders via SSH/SFTP? Otherwise, I have to keep executing as root 'chmod -R 770 /share' and that is pretty annoying.

odcheck 09-13-2006 01:26 AM

chgrp -R accounting /share
this could do it.

Micro420 09-13-2006 01:55 AM

Quote:

Originally Posted by odcheck
chgrp -R accounting /share
this could do it.

The thing is that this is effective at the moment. I would have to keep executing chgrp -R accounting /share when a user modifies or creates a new folder, and that would not be practical. I tested it and when I SSH and create a folder, it creates the folder, but gives it an automatic permission of RWXR-X---. This is not good. I need it to be RWXRWX--- so that all users in the accounting group can read, write, and execute

Is this something I am supposed edit in the /etc/fstab?

SlackDaemon 09-13-2006 02:01 AM

You can achive this using ACLs. If your kernel has ACL support built in for your particular type of filesystem, mount the necessary partition with he acl option.

mount -o remount,acl /share

Set the share folder with SGID and permission 770:

chmod 2770 /share

Set the ACL permissions for the group and others:

setfacl -m d:g:accounting:rwx /share
setfacl -m d: o::--- /share

Files will now be created as rw-rw---- and directories as rwxrwx---

Micro420 09-13-2006 02:31 AM

Thanks for the detailed post! It does, however, get a little more complicated. I failed to mention that within this /share folder, there are other subdirectories that each need to have their own permissions. Example, /share/accounting (accounting group), /share/design (designing group), /share/hr (human resources group), etc...

Can I specify the permissions with the ACL for each of those directories? My filesystem is ext3 and it has ACL support (Kubuntu 6.06). Lastly, if I do this on the current partition, will I lose my important data files messing around with this ACL settings?

SlackDaemon 09-13-2006 03:46 AM

Yes you may specify different group permissions for different groups using ACL. You can check the effective permissions for all groups with the getfacl command.

setfacl -m d:g:group1:rx /share/subfolder
setfacl -m d:g:group2:rwx /share/subfolder

getfacl /share/subfolder


There is no chance that you will lose data applying ACLs. It will only affect metadata.

PDock 09-13-2006 06:12 AM

Quote:

Originally Posted by Micro420
I created a directory: /share


I also want some users to be able to access this /share folder via ssh/sftp. I set up the respective users to have their home directory set to /share so that is the first place they are taken to when they SSH/SFTP in.

Sounds like these are user accounts setup specifically for this one (SFTP) purpose. In that case try creating a .profile and setting the umask to 007.

In general read about umask and/or lumask for SFTP.
Disclaimer: Theory only have not tested what I wrote.
ppd

Micro420 09-13-2006 10:49 PM

Thanks SlackDaemon and PDock. The ACL works, and so does the umask trick in the .bash_profile file.

The only problem is that I am having remote users connect with a commercial software called SecureShell for Windows. For some reason, it ignores umask, lumask, and the ACL that I create. This is okay as there is an option in the SSH SecureShell program to force permissions that I want. I guess the program just doesn't give a damn about local profiles and settings in Linux.

I did, however, learn about ACL's and umasks! Very helpful. Thank you very much!


All times are GMT -5. The time now is 08:47 AM.