LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-22-2006, 08:53 PM   #1
tcv
Member
 
Registered: Apr 2003
Location: Billerica, MA
Posts: 114

Rep: Reputation: 15
Samba and *nix permissions


Hi there,

I have a Trustix email server and I would like back that email up to our tape drive, which is running on a Windows 2003 Server system. Right now, all users "Leave mail on Server," so there is a lot of data there. The company I need to do this for is a small financial broker and SEC requirements have given us the ... ah ... prod to do this.

Samba has, more or less, been configured on the system. It is not actually running, nor does it comes up at bootup. Thanks to some help elsewhere, I know what to do to make that happen.

But...

One of the things I'm not sure how to do to how to give the Windows 2003 Server machine access to the Mails.

I _think_ what I need to do is take one of the existing users, elevate his access priveledges and/or give him access (read only) to /home/users/. I would map the drive to the Windows box, then have it perform the backup according to a schedule.

The thing is: I don't know how to read the permissions on the files and folders and determine what I need to do to that account. Furthermore, I don't know how to read the user's current privileges.

I'd like some beginner pointers. What can I start looking at to determine what I need to do? Any help is appreciated!!

m

Last edited by tcv; 07-22-2006 at 09:06 PM.
 
Old 07-22-2006, 09:19 PM   #2
tcv
Member
 
Registered: Apr 2003
Location: Billerica, MA
Posts: 114

Original Poster
Rep: Reputation: 15
More info:

There is an account called "ham" that currently "owns" /home/shared/

Code:
drwsrwsr-x    3 ham office       4096 Aug 11  2005 shared/
There is a line in smb.conf that reads:

Code:
force user = ham
Couldn't I give 'ham' elevated privileges? Couldn't I, for instance, elevate 'ham' to the root group. Wouldn't that allow 'ham' the ability to read files in /home/users and all the sub-folders therein?

m
 
Old 07-22-2006, 09:41 PM   #3
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
what is the output of

ls -l /home/users

Does anyone else need access to /home/users?

If not, I would have thought that

chown hamffice /home/users

would do the trick (or am I missing something here)

Edit - I don't know if anyone else sees a face on my post, but I do. the chown line should read ham followed by a colon followed by office (no spaces)

Last edited by billymayday; 07-22-2006 at 09:46 PM.
 
Old 07-22-2006, 09:48 PM   #4
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
If you only give ham read access, how does the backup work?
 
Old 07-22-2006, 10:01 PM   #5
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Don't know if I totally missinterpreted your question, so please ignore if I did, but here's the interpretation of the line you posted above

drwsrwsr-x 3 ham office 4096 Aug 11 2005 shared/

The "d" tells us it's a directory

the next 3 characters tell us what the owner can do (in this case read, write or execute (as user))

the next 3 characters tell us what members of the same group can do (ditto)

the final 3 tell us what anyone can do (read (the dash means can't write) or execute.

Note than the order will always be the sand - read, write execut with dashes where the right isn't given.

Have a look at the following link.

http://www.comptechdoc.org/os/linux/..._ugfilesp.html

Also, the command to change these is chmod. Have a look at man chmod.

Rgds


Bill
 
Old 07-22-2006, 10:11 PM   #6
tcv
Member
 
Registered: Apr 2003
Location: Billerica, MA
Posts: 114

Original Poster
Rep: Reputation: 15
Well, I just need an account to able to to copy the files to another location on a different system. Wouldn't that be read-only access? I don't need ham or the Windows system to be able to write to any of those directories.

As for ls -l on /home users:

Code:
drwx-----x    4 user1  ham     4096 Jan 12  2005 user1/
drwx-----x    3 ham users        4096 Sep  7  2004 ham/
drwx-----x    3 user2  ham     4096 Sep 20  2004 user2/
drwx-----x    3 user3 ham     4096 Sep 20  2004 user3/
drwx-----x    4 user4 ham     4096 Nov 10  2004 user4/
drwx-----x    3 user5  ham     4096 Sep 21  2004 user5/
drwx-----x    3 user6 ham     4096 Mar 22 22:54 user6/
drwx-----x    3 user7 users        4096 Apr  7 21:41 user7/
drwx-----x    5 user8  users        4096 Mar 22 23:07 user8/
I did obscure all usernames 'cept for "ham"

Also: There is a group called "ham" as well.

So, it looks like only the OWNERS have permissions to do anything with those directories. Although ROOT can see everything. I'm not sure why that is... I realize that root has more access in general, but I don't understand how to notch someone up so that they can see more. Is it a matter of, say, figuring out the group ID and giving ham membership to one group higher than the group listed above? So, for instance, I give 'ham' membership to the group that's one notch above the 'ham' group? Would that do it?

Also: I don't want to change anything that would make the directories readable by other users. I don't want to make a change so that, say, user8, can suddenly see the contents of user7's home directory. make sense?
 
Old 07-22-2006, 10:36 PM   #7
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
You don't want to give anyone else root's power, take that as given.

What I think is probably easiest is to make sure ham is a member of each user's group

usermod -G user1, user2, ..., usern ham

allow group access to the directories

chmod g+w,g+r,g+x /home/user1

etc.

and in smb.conf make your folder definitions look something like

[user1]
comment = User 1's area
writeable = yes
create mode = 775
path = /home/user1
directory mode = 775

What this all does is puts the and ham in the same group as each user (a user can be a member of many groups - note the capital G in usermod!), lets the group read/write and execute these directories (you certainly need write access, because that's what you're doing when you back up to it - or did I miss the point again?), and set Samba to maintain these permissions when things get created.

Each user is only a member of their own group, so can't see other user's directories.


I think this meets your requirements

Last edited by billymayday; 07-22-2006 at 10:38 PM.
 
Old 07-23-2006, 09:32 AM   #8
tcv
Member
 
Registered: Apr 2003
Location: Billerica, MA
Posts: 114

Original Poster
Rep: Reputation: 15
Thank you. This is pretty cool.

A couple of follow up questions, please.

1. What if all the users are part of one group? As soon as I turned on group rwx, wouldn't that allow other members of the group access to those other directories?

2. How do I find out what groups exists and what groups a particular user belongs to?
 
Old 07-23-2006, 04:55 PM   #9
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
1. If they are all in the same group and you set the group privileged to wrx, then they will all be able to read and write each others directories. I think you said this is what you didn't want.

2. I'm sure there's something in whatever GUI you use (I don't), but have a look under system settings, users and groups, or something like that. There are a couple of files unde /etc that should help. passwd lists all the users (but not their group), and group lists all the groups and all the members of that group (see man group). SLightly the wrong way for what you want, but I don't think there's a textual system list of users and their groups.

Rgds
 
Old 07-23-2006, 06:59 PM   #10
tcv
Member
 
Registered: Apr 2003
Location: Billerica, MA
Posts: 114

Original Poster
Rep: Reputation: 15
Hi there,

This is why I'm asking.

You said:

Quote:
What I think is probably easiest is to make sure ham is a member of each user's group
So, if all users are members of the HAM group -- which they are, by the way, I checked -- then I open up group rwx, wouldn't that mean that ALL users in that group, including my HAM user, would be able to view each others Maildirs?

I'm wondering if a better way would be to:

1. Create a new group.
2. Change group on the users' directories to the new group.
3. Set group access to RWX for all users folders.
4. Make HAM a member of the new group.

Wouldn't that give HAM access to all the user directories and still keep the other users out of each others directories because they're not a member of the new group? Also, since they remain the OWNER of their own directories, they're own access to the directories would not change.

Am I right here?
 
Old 07-25-2006, 05:50 AM   #11
tcv
Member
 
Registered: Apr 2003
Location: Billerica, MA
Posts: 114

Original Poster
Rep: Reputation: 15
Just a small bump in case someone else can answer...
 
Old 07-25-2006, 06:25 AM   #12
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Sorry tcv, I thought I answered this (in fact I know I did, but I guess I hit the back button by mistake.)

In short, I think what you're suggesting works fine. I'm not sure if it's unauthodox to have the group one that the user isn't a member of, but I can't see why.

Try it and see. Otherwise, I'd suggest you start a new thread if you want some fresh eyes.


Rgds


Bill

ps - I won't say your solution looks more elegant than mine. Egos you know.

Edit - tcv, if you repost, don't put it in linux-newbies, try linux-general

Last edited by billymayday; 07-25-2006 at 06:28 AM.
 
Old 07-25-2006, 06:51 AM   #13
tcv
Member
 
Registered: Apr 2003
Location: Billerica, MA
Posts: 114

Original Poster
Rep: Reputation: 15
Hi Bill, thanks for writing again!

I'm not concerned about elegance. In fact, I am SURE your solution is more elegant. I just want to be sure that your solution wouldn't unnecessarily open up the possibility that another user can peek into another user's folder. If every user is part of the same group, and I open up group access, then it seems to me that all users will be able to view all the other users directories.

Am I right?

I can try it, though, without compromising anything...
 
Old 07-25-2006, 07:02 AM   #14
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
tcv, I just had a quick play. I think the issue is how to ensure that if user1 creates a file in /home/user1, that it's group is your new group. By default, the file will be created as owned by user1 of group user1. I'm not sure how you change this behaviour, if in fact you can.

A simple solution to your overall problem (I just re-read your post) could be to create a cron job to run as root that backs up the users' directories to, say /home/shared and let the Windows Server 2003 machine have read access for backups. Something like tar will work well for this. Only ham and the Windows machine would need read access to this directory.


Rgds


Bill
 
Old 07-25-2006, 07:12 AM   #15
tcv
Member
 
Registered: Apr 2003
Location: Billerica, MA
Posts: 114

Original Poster
Rep: Reputation: 15
It worked.

The only thing I got confused on was that when I change the account ham's group affiliation, I expected a change to be visible in /etc/passwd since there is an entry for a group there, but I only saw one in /etc/group

m

{Edit: Ahhh... that is a good way to do, Bill.}

Last edited by tcv; 07-25-2006 at 07:13 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba domain member server (DMS) group permissions in network with a Samba PDC srosa Linux - Networking 0 05-01-2006 06:55 PM
Samba Permissions canuck_barlow Linux - Newbie 3 01-09-2006 08:38 AM
samba permissions sharp81 Linux - Networking 5 07-14-2005 12:48 PM
SAMBA says 'Samba Server is not accebile, you might have no permissions' Ahmad Gurchani Linux - General 1 01-01-2005 11:34 AM
Samba and permissions Phaethar Linux - Software 2 06-17-2004 09:03 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 12:36 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration