LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   How to setup file permissions for multiple groups/users that use Windows AND Linux (https://www.linuxquestions.org/questions/linux-security-4/how-to-setup-file-permissions-for-multiple-groups-users-that-use-windows-and-linux-841962/)

unassassinable 11-02-2010 03:06 PM
How to setup file permissions for multiple groups/users that use Windows AND Linux
 
So, Ive been pounding my head on some File permissions in linux the last couple of days. I've found a solution that works and thought I'd share with everyone.

Ok so, heres my situation:

I have a remote directory shared over NFS called tech with perms set as 0750 and owner set to root:tech.
I have 2 groups: tech, and techAdmin. tech can read and execute within tech/. techAdmin can read, write, execute.
I have 4 users: user1, user2, user3, user4. user1 and user2 is a member of techAdmin, user3 and user4 are members of tech.

simple so far...but wait here's the problem. If user1 creates a file inside tech, user2 cant read or modify it because user1 owns it. Here's a few sites that reference this problem:

http://linux.derkeiler.com/Mailing-L...5-07/2616.html
http://forums13.itrc.hp.com/service/...readId=1147220
http://old.nabble.com/ACLs,-umask-an...d27820947.html
http://lists.freebsd.org/pipermail/f...ch/213589.html

http://www.linuxquestions.org/questi...-group-755766/
http://ubuntuforums.org/showthread.php?t=141078
http://lists.bostoncoop.net/pipermai...ay/000443.html
http://www.linuxforums.org/forum/new...ns-system.html

Trying to fix this problem i found literally HUNDREDS of these thread and this same question posted EVERYWHERE. And every answer was the same....you do it with umask. by changing EVERYONES umask in /etc/profile to 027 and create a cronjob that fixes all permissions to 0750 every minute. Changing a umask to 027 can be a dangerous thing and I would NOT recommend doing this...and seriously!?! making a crontab entry that recursively changes the perms to 0750 every 5 minutes on a multi terabyte file server This is BS. I aint doing that...

Here's how to do it.

Code:
#mkdir tech
#chown root:tech tech/
#chmod g+s tech/
#chmod 0750 tech/
#setfacl -d -m g:techAdmin:rwx tech/
#setfacl -m group:techadmin:rwx tech/ - not sure why this needed to be there as the above code I though would take care of it.  if anyone knows why, please post in the comments.
when you run getfacl tech, you should see:

Code:
# linux-host># getfacl tech
#file: tech/
# owner: root
# group: tech
# flags: -s-
user::rwx
group::r-x
group:techAdmin:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:techAdmin:rwx
default:mask::rwx
default:other::---
BUT WAIT THERES MORE! This company uses Windows clients too...so we need essentially the SAME setup for them too. This can be accomplished in SAMBA. Your smb.conf file tech share should look like this:

Code:
[tech]
        comment = Tech department only
        inherit acls = Yes
        path = /mnt/tech
        guest ok = no
        browseable = yes
        create mask = 0750          #this forces all created documents to have 750 perms
        directory mask = 0750      #same for directories
        force group = tech              #this is so that all files written to the share will be set to "chgrp tech" if you dont do this only the user that created the file will have access to it.
        write list = @techAdmin    #only the group that has write privileges
        valid users = @tech
user1 and user2 can now log into Windows OR linux, create or modify existing files within the tech directory. user3 and user4 can also log into Windows OR linux, but only have read access...they cannot create, modify, delete.

I know theres room for improvement on this, and if anyone has a solution that worked for them, please share it for future googlers!

Rich

stress_junkie 11-02-2010 05:18 PM
Thank you.

unassassinable 11-02-2010 06:35 PM
Yup! if you found this helpful, dont forget to click rep :)

Rich

Davethesnake 11-02-2010 07:40 PM
thats reall sweet assas trouble with me is i forget what im doing real quick,i think ill have to have a blood transfusion sorta clean my dead cells away!

unassassinable 11-02-2010 08:00 PM
It can also be done in KDE (gnome too?) in suse, if you right click on the folder > permissions > advanced permissions and add your groups and custom permissions there. Not so bad...
Rich


All times are GMT -5. The time now is 10:48 AM.