LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   ACL (access and default access ACL) (https://www.linuxquestions.org/questions/linux-security-4/acl-access-and-default-access-acl-4175535126/)

nocandcan 02-26-2015 01:59 AM

ACL (access and default access ACL)
 
Hi, all.
I want to configure as following:
# umask 077
# mkdir /home/abc
# mkdir /home/abc/Nu
# chown admin.admin Nu
# useradd admin, fa1
# smbpasswd -a admin
# smbpasswd -a fa1

share folder abc:
[abc]
path = /home/abc
public = no
valid users = admin, fa1
writable = yes
browseable = no
guest ok = yes

configure acl:
# setfacl -m u:fa1:rw- Nu/
# setfacl -d -m u:fa1:rw- Nu/
# ll
drwxrwx---+ 4 admin admin 4096 Feb 26 09:38 Nu

# getfacl Nu/
# file: Nu/
# owner: admin
# group: admin
user::rwx
user:fa1:rw-
group::rwx
mask::rwx
other::---
default:user::rwx
default:user:fa1:rw-
default:group::rwx
default:mask::rwx
default:other::---

=> after configure. from PC Windows 8, I access share samba ok, but I can not access to folder Nu.
(I want to configure folder Nu with user admin full control permission, user fa1 modified permission)

Could you please check for me ?.

Thank you very much.

T3RM1NVT0R 02-28-2015 05:48 AM

You cannot access a folder without execute (x) permission. So if you want to access it you should set the acl using as follows:

Code:

# setfacl -m u:fa1:rwx Nu/
# setfacl -d -m u:fa1:rwx Nu/

In real world try to avoid file permission acls as they are painful when it comes to troubleshooting.

nocandcan 03-01-2015 07:52 PM

Quote:

Originally Posted by T3RM1NVT0R (Post 5324616)
You cannot access a folder without execute (x) permission. So if you want to access it you should set the acl using as follows:

Code:

# setfacl -m u:fa1:rwx Nu/
# setfacl -d -m u:fa1:rwx Nu/

In real world try to avoid file permission acls as they are painful when it comes to troubleshooting.

Hi, T3RM1NVT0R
Thank you very much for your reply.
But I have got a disturbed with this.
If we set rwx, this permission is same with Full Control on Windows,
So If user from Windows and map to share folder (abc) with user having rwx permission, this user can "Change permissions" and "Take ownershift"


On CentOS, could we set acl but remove two above options ?

Best regards,

T3RM1NVT0R 03-02-2015 01:07 PM

What you are talking about is mapping Linux Samba share on window and you are worried about if they will map the share they will be able to change the ownership. Is that correct?

If that is the case then the answer is no because ultimately the permission will be governed by the OS from where the share is mapped which is Linux in this case. Linux keep permission and ownership separate. Only the user who is the owner of that directory or root can change the ownership of that directory.

nocandcan 03-02-2015 07:56 PM

Quote:

Originally Posted by T3RM1NVT0R (Post 5325731)
What you are talking about is mapping Linux Samba share on window and you are worried about if they will map the share they will be able to change the ownership. Is that correct?

If that is the case then the answer is no because ultimately the permission will be governed by the OS from where the share is mapped which is Linux in this case. Linux keep permission and ownership separate. Only the user who is the owner of that directory or root can change the ownership of that directory.

What you are talking about is mapping Linux Samba share on window and you are worried about if they will map the share they will be able to change the ownership. Is that correct?
==> Yes, I am worried about this.

If that is the case then the answer is no because ultimately the permission will be governed by the OS from where the share is mapped which is Linux in this case. Linux keep permission and ownership separate. Only the user who is the owner of that directory or root can change the ownership of that directory.
===> I configured owner for folder Nu/ with admin and acl for user fa1 with permission rwx, then from Windows I map to share folder abc/ with samba user fa1 I still changed permission right of folder Nu/, so after I changed from rwx to rw- then I am not able to access to folder Nu/.
Could you please review for me about this case ?.


Thank you very much.

T3RM1NVT0R 03-03-2015 03:37 AM

As I mentioned before if you change the permission from rwx to rw you won't be able to access the directory as on Linux execute permissions are required to access the directory.

Give me the details on the users you have configured for this, current permissions, current acl listing, ownership details and I will have a look at that.

nocandcan 03-03-2015 10:13 PM

Quote:

Originally Posted by nocandcan (Post 5325937)
What you are talking about is mapping Linux Samba share on window and you are worried about if they will map the share they will be able to change the ownership. Is that correct?
==> Yes, I am worried about this.

If that is the case then the answer is no because ultimately the permission will be governed by the OS from where the share is mapped which is Linux in this case. Linux keep permission and ownership separate. Only the user who is the owner of that directory or root can change the ownership of that directory.
===> I configured owner for folder Nu/ with admin and acl for user fa1 with permission rwx, then from Windows I map to share folder abc/ with samba user fa1 I still changed permission right of folder Nu/, so after I changed from rwx to rw- then I am not able to access to folder Nu/.
I configured again, user fa1 with rwx can not changed permission from Windows after mapping, only owner (admin) just change permission as T3RM1NVT0R say. Now, I understand.
I am so sorry for my testing mistake


Thank you very much.

Could I ask more about Samba with audit log in this topic ?.

T3RM1NVT0R 03-04-2015 01:01 AM

You're welcome. Sure, go ahead.

nocandcan 03-12-2015 04:00 AM

Quote:

Originally Posted by T3RM1NVT0R (Post 5326582)
You're welcome. Sure, go ahead.

Hi,
I am sorry for my late reply.

1. About ACLs: Could you please help me to determine permission of file after using default acls ?
I am worried about this permission, has got easy way to determine this permission ?
I post one configure I already searched
# mkdir public
# setfacl -R -m u::rwx,g:ftp:rwx,d:g:ftp:rwx,o::rx public/
# getfacl public
# file: public
# owner: root
# group: root
user::rwx
group::r-x
group:ftp:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::r-x
default:group:ftp:rwx
default:mask::rwx
default:other::r-x

# echo hello, world > public/test.html
# ls -l public
total 4
-rw-rw-r--+ 1 root root 13 Aug 29 13:00 test.html
# getfacl public/test.html
# file: public/test.html
# owner: root
# group: root
user::rw-
group::r-x #effective:r--
group:ftp:rwx #effective:rw-
mask::rw-
other::r--

================
Why create folder public with permission 755, after using setfacl folder public change to 775 and file created in folder public changed 664 ?

2. About Samba audit:
I send my test configure (I searched on Internet)
With this configuration. All log will write to only one file.
Has any way to write log to many files on each shared folder or a group folders because log file has many lines, many informations when filter will be very difficult ?.

# mkdir /biswa
# useradd admin
# smbpassswd -a admin
# chown admin.admin /biswa
# mkdir /wang
# chown admin.admin /wang
Configure Samba audit recycle:
# vi /etc/samba/smb.conf
#Samba Audit
vfs objects = full_audit
full_audit:prefix = u|%I|%m|%S #u=user; I=IP address; m=Computer name; S=share name
full_audit:success = mkdir rmdir read pread write pwrite rename unlink open
full_audit:failure = connect
full_audit:facility = local7
full_audit:priority = notice
#Recycle:
vfs objects = recycle
recycle:repository = /wang/%U
recycle:keeptree = yes
recycle:versions = yes
:wq

Configure Samba share:
[bamba]
path = /biswa
writeable = yes
public = no
browseable = yes
valid users = admin
vfs objects = full_audit recycle
:wq

Configure file rsyslog.conf:
# vi /etc/rsyslog.conf
if $syslogfacility-text == local7 and $programname == smbd then /var/log/samba/log.audit
:wq

Restart service: rsyslog, smb
# /etc/init.d/smb restart
# /etc/init.d/rsyslog restart

Thank you very much for you support.

T3RM1NVT0R 03-12-2015 03:05 PM

As I can see you are creating the files using root account, that wouldn't be the real test of ACL as when you are creating files using root account it will be based on the umask value which is by default for root is 002 which inturn means 775 for directories and 664 for files.

You can check the umask value by typing the command umask.

I am not sure about sending the different error, warnings from samba to different files. I have never tried that before but would try if I will get a chance.

nocandcan 03-13-2015 01:04 AM

Quote:

Originally Posted by T3RM1NVT0R (Post 5331094)
As I can see you are creating the files using root account, that wouldn't be the real test of ACL as when you are creating files using root account it will be based on the umask value which is by default for root is 002 which inturn means 775 for directories and 664 for files.

You can check the umask value by typing the command umask.
==> If can, could you take a example about calculate permissions when using access ACL and default access ACL ?

I am not sure about sending the different error, warnings from samba to different files. I have never tried that before but would try if I will get a chance.

==> I hope and wait for your information.

Thank you very much.

nocandcan 03-17-2015 11:21 PM

Hi, All

To my configure about samba audit above.
Log smbd information save to both file /var/log/samba/log.audit, file /var/log/boot.log and file /var/log/messages.
If save this, capacity of log file will be very large.
Has any way only save to file /var/log/samba/log.audit ?

After that, I searched Internet, I modified configuration of samba audit from local7 to local5 and
in file /etc/rsyslog.conf as this:
*.info;mail.none;authpriv.none;cron.none;local5.none /var/log/messages
local7.*;local5.none /var/log/boot.log

then smbd log only save to file /var/log/samba/log.audit

but there is a problem issue this
file /var/log/messages save many informations about rsyslogd as this:
rsyslogd-2177: imuxsock lost 541 messages from pid 3854 due to rate-limiting
rsyslogd-2177: imuxsock lost 558 messages from pid 1082 due to rate-limiting
rsyslogd-2177: imuxsock begins to drop messages from pid 1082 due to rate-limiting
rsyslogd-2177: imuxsock begins to drop messages from pid 3430 due to rate-limiting


I want file /var/log/messages only save informations about system and do not need save information about rsyslogd.

Could any one help to solve this problem ?.

Thank you very much.

nocandcan 04-13-2015 05:09 AM

Quote:

Originally Posted by nocandcan (Post 5333809)
Hi, All

To my configure about samba audit above.
Log smbd information save to both file /var/log/samba/log.audit, file /var/log/boot.log and file /var/log/messages.
If save this, capacity of log file will be very large.
Has any way only save to file /var/log/samba/log.audit ?

After that, I searched Internet, I modified configuration of samba audit from local7 to local5 and
in file /etc/rsyslog.conf as this:
*.info;mail.none;authpriv.none;cron.none;local5.none /var/log/messages
local7.*;local5.none /var/log/boot.log

then smbd log only save to file /var/log/samba/log.audit

but there is a problem issue this
file /var/log/messages save many informations about rsyslogd as this:
rsyslogd-2177: imuxsock lost 541 messages from pid 3854 due to rate-limiting
rsyslogd-2177: imuxsock lost 558 messages from pid 1082 due to rate-limiting
rsyslogd-2177: imuxsock begins to drop messages from pid 1082 due to rate-limiting
rsyslogd-2177: imuxsock begins to drop messages from pid 3430 due to rate-limiting


I want file /var/log/messages only save informations about system and do not need save information about rsyslogd.

Could any one help to solve this problem ?.

Thank you very much.

After found more information, the cause of this log is rate-liniting.
I already disabled rate-limiting, this log was stopped.
add two lines into file /etc/rsyslogd.conf
$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 0


Thank you very much.


All times are GMT -5. The time now is 09:06 AM.