[SOLVED] Hidden Permissions - Zentyal Admins unable to read User Created Folders
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hidden Permissions - Zentyal Admins unable to read User Created Folders
I am the co-administrator of a small private school's domain system. I set the system up using Zentyal 3.4 of which Windows and Ubuntu clients both connect. Students have their own personal logins with their personal "Server Drive" of 500Mb space on the server. These "Server Drives" are the users' home folders (ie, user john.smith server drive is under /home/john.smith).
I have had multiple problems with the permissions before. By mixing ubuntu's drwxrwxrwx permission system and Zentyal's ACLs, I managed to get all administrators access to the users files by creating a symlink to the home folder that only admins have permission to. I used the Zentyal File Sharing (Samba) to add this to Samba, and it worked for a while. (/userfiles is symlink to /home that only admins can access. I do this because Samba will mess up if I create a share with /home since that is what the users are using when they get their Server Drive, duplicate samba entries I guess).
Each user's home folder is owned by them as the user but owned by Administrators as the group. Perms are set to 770 for all of them, including any sub-folders, the typical user's folder will look as follows:
drwsrws--- 4 john.smith Administrators 4096 Aug 15 16:02 john.smith/
The users can access all their files, and the admins can access their files as well. The problem comes when the users create their own personal folders. In /etc/skel, the users start with a Documents and a Pictures folder. Anything in here (not including subfolders) is readable by any admin. If a user creates a personal folder anywhere (ie /home/john.smith/Computer Class), admins can't read it.
I have tried fixing the problem by doing:
for line in `ls -1`
do chown $line:Administrators $line -R
chmod 770 $line -R
done
This basically sets the permissions of all folders and files to that seen above. It still doesn't work. I've also tried doing:
setfacl -b john.smith
Still nothing. There is no difference between ACL and ubuntu's permission system results of the Documents or Pictures folder (readable) and the users' personally created folders (non-readable). What am I doing wrong here? Any suggestions to clean up this mess? How can I get these permission to how I need them to be?
Last edited by derekpock; 09-30-2014 at 02:30 PM.
Reason: Cleanup
This happens because anything they create is dependent of the umask, which I don't really know how it work on samba and the main group the users are part of... The good news is that you can use default ACLs to fix this.. Default acls just sets defaults for new files or directories... and something like the following should help you resolve this problem for new files (if Samba doesn't actually modify permissions).
I think for some reason setfacl's recursive mode isn't really recursive. After all of this I am still unable to access the files on a Windows client as admin. I am, however and oddly enough, able to log in as admin on the server and read the files all I want. Any suggestions beyond this? I think Zentyal is getting in the way some how.
EDIT: I should clarify. I CAN read from ReadableFolder from Windows Clients as admin. I CANNOT read from NonreadableFolder from Windows Clients as admin. I can read from both when logging directly onto the server as admin.
Last edited by derekpock; 10-02-2014 at 11:44 AM.
Reason: clarify readability of folders
Hmm... Is it possible that the user that is in the Administrator group to be part of the normal users (__USERS__) group? Maybe for some reason it doesn't obey the normal group permissions and only the extended ones set on __USERS__.. Somehow I think (can't test this right now) that Windows is actually only listening to that permission in this case..
Yes. User admin is part of the __USERS__ group. That would make sense why Windows only listens to that special group. I don't think I can remove this group from admin without domain logons being interrupted and affected. The integration of the active directory between Windows and this Ubuntu Server is in the dark depths of Zentyal. Their interface for adding special acls on the home directory either isn't allowed or malfunctions. Unfortunately, I don't have access to this server again until next Monday. I will try this out then, doing more research on setfacl and getfacl, and acls in general. I will let you know if this helps on Monday. Thanks for your help so far!
I'm still at a complete loss. I have made a very nasty work around for now, but I still need to fix these acls or hidden permissions sometime. This is NOT solved, so if you have more suggestions, let me know.
This topic is marked as "solved". Can you tell about how you solved a users access permissions problem?
Now, i use Zentyal 4.1 and i have same problem with owners and permissions for users home folders. From Zentyal web-panel i was created users and groups. And at home folder was created users folders with owner of my admin account (which i loged in Zentyal web-panel and created that users). But, as i think, its wrong. Users home folders must have as owner user_name and domain_admin as group. Can you help? Tell me, please, where and how i can set default permissions for users home folders in Zentyal?
The last post states that I made a messy work-around that I really shouldn't suggest to anyone. As of this post, I've moved and am no longer the SysAdmin with this issue. If you have this issue as well, start a new post with newer information from the newer releases.
IF YOU MUST, however, use the messy work-around I was, this is what I did:
In /etc/rc.local, add the following lines (or something similar) before the exit 0;
Code:
IFS="
"
for userFolder in `ls -1 /home | grep -v "directoryInHomeThatIsNotAUsersFolder" | grep -v "anotherDirectoryInHomeThatIsNotAUsersFolder" | grep -v "etc..."`
do
chmod 770 "$userFolder" -R
chown "$userFolder":ADMINISTRATOR "$userFolder" -R
done
The code above, every startup, changes the permissions in the home folder so that every user's folder has the permissions USER=[the name of the user's folder, usually the username itself] GROUP=ADMINISTRATOR MOD=user-read,write,execute; group-read,write,execute; everyoneElse=none;
Basically, any ADMINISTRATOR (you can change that to whatever admin group you have) will have access to all user files, and each USER will have full access to their files.
AGAIN, I can't stress this enough....I REALLY DON'T RECOMMEND THIS AS LONG TERM SOLUTION
Only use this short-term and seek more help to fix the problem finally either on this forum, another one, or on Zentyal's own forum pages.
Very strange what this problem is actual for this time yet and Zentyal developers dont fix it. I was write the same post on the Zentyal forum, but dont receive any answer yet.
In my situation, the domain server on Zentyal will work in small company (about 20 users) and i can setup needed permissions one's by manual after create all users of domain. And then, if new created sub folders in users home folders will have wrong owners (and/or permissions), i plan to create shell script which will start by cron task every 5-15min and change owners.
Sounds reasonable, but I would, in that shell script, only change the perms if they need to be changed. IE, check whether the perms are set correctly before changing them constantly.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.