LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-02-2010, 03:06 PM   #1
unassassinable
Member
 
Registered: Sep 2010
Posts: 46

Rep: Reputation: 7
How to setup file permissions for multiple groups/users that use Windows AND Linux


So, Ive been pounding my head on some File permissions in linux the last couple of days. I've found a solution that works and thought I'd share with everyone.

Ok so, heres my situation:

I have a remote directory shared over NFS called tech with perms set as 0750 and owner set to root:tech.
I have 2 groups: tech, and techAdmin. tech can read and execute within tech/. techAdmin can read, write, execute.
I have 4 users: user1, user2, user3, user4. user1 and user2 is a member of techAdmin, user3 and user4 are members of tech.

simple so far...but wait here's the problem. If user1 creates a file inside tech, user2 cant read or modify it because user1 owns it. Here's a few sites that reference this problem:

http://linux.derkeiler.com/Mailing-L...5-07/2616.html
http://forums13.itrc.hp.com/service/...readId=1147220
http://old.nabble.com/ACLs,-umask-an...d27820947.html
http://lists.freebsd.org/pipermail/f...ch/213589.html

http://www.linuxquestions.org/questi...-group-755766/
http://ubuntuforums.org/showthread.php?t=141078
http://lists.bostoncoop.net/pipermai...ay/000443.html
http://www.linuxforums.org/forum/new...ns-system.html

Trying to fix this problem i found literally HUNDREDS of these thread and this same question posted EVERYWHERE. And every answer was the same....you do it with umask. by changing EVERYONES umask in /etc/profile to 027 and create a cronjob that fixes all permissions to 0750 every minute. Changing a umask to 027 can be a dangerous thing and I would NOT recommend doing this...and seriously!?! making a crontab entry that recursively changes the perms to 0750 every 5 minutes on a multi terabyte file server This is BS. I aint doing that...

Here's how to do it.

Code:
#mkdir tech
#chown root:tech tech/
#chmod g+s tech/
#chmod 0750 tech/
#setfacl -d -m g:techAdmin:rwx tech/
#setfacl -m group:techadmin:rwx tech/ - not sure why this needed to be there as the above code I though would take care of it.  if anyone knows why, please post in the comments.
when you run getfacl tech, you should see:

Code:
# linux-host># getfacl tech
#file: tech/
# owner: root
# group: tech
# flags: -s-
user::rwx
group::r-x
group:techAdmin:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:techAdmin:rwx
default:mask::rwx
default:other::---
BUT WAIT THERES MORE! This company uses Windows clients too...so we need essentially the SAME setup for them too. This can be accomplished in SAMBA. Your smb.conf file tech share should look like this:

Code:
[tech]
        comment = Tech department only
        inherit acls = Yes
        path = /mnt/tech
        guest ok = no
        browseable = yes
        create mask = 0750           #this forces all created documents to have 750 perms
        directory mask = 0750       #same for directories
        force group = tech              #this is so that all files written to the share will be set to "chgrp tech" if you dont do this only the user that created the file will have access to it.
        write list = @techAdmin     #only the group that has write privileges
        valid users = @tech
user1 and user2 can now log into Windows OR linux, create or modify existing files within the tech directory. user3 and user4 can also log into Windows OR linux, but only have read access...they cannot create, modify, delete.

I know theres room for improvement on this, and if anyone has a solution that worked for them, please share it for future googlers!

Rich

Last edited by unassassinable; 11-02-2010 at 09:23 PM. Reason: misinformation
 
Old 11-02-2010, 05:18 PM   #2
stress_junkie
Senior Member
 
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873

Rep: Reputation: 334Reputation: 334Reputation: 334Reputation: 334
Thank you.
 
Old 11-02-2010, 06:35 PM   #3
unassassinable
Member
 
Registered: Sep 2010
Posts: 46

Original Poster
Rep: Reputation: 7
Yup! if you found this helpful, dont forget to click rep

Rich
 
Old 11-02-2010, 07:40 PM   #4
Davethesnake
LQ Newbie
 
Registered: Oct 2010
Posts: 25

Rep: Reputation: -14
thats reall sweet assas trouble with me is i forget what im doing real quick,i think ill have to have a blood transfusion sorta clean my dead cells away!
 
Old 11-02-2010, 08:00 PM   #5
unassassinable
Member
 
Registered: Sep 2010
Posts: 46

Original Poster
Rep: Reputation: 7
It can also be done in KDE (gnome too?) in suse, if you right click on the folder > permissions > advanced permissions and add your groups and custom permissions there. Not so bad...
Rich
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba File permissions for multiple groups in the same general path hmendoza Linux - General 1 11-06-2009 03:43 AM
Sync Multiple Linux Servers Users, groups and passwords waddy Linux - Server 6 02-29-2008 06:28 AM
Expanding on File Permissions with multiple groups boardo Linux - General 1 01-24-2006 02:14 PM
multiple groups permissions steve007 Linux - Newbie 2 07-01-2005 12:24 PM
users, groups, and permissions mcd Linux - Newbie 3 05-26-2004 09:06 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:11 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration