Samba/Linux Inheritable File Permissions

cojaxx8 · 01-29-2012, 01:36 AM

Hi Guys,

I have got a basic Ubuntu File server up and running at home which is acting as a Storage server. Just a few questions regarding inheritable file permissions.

The way i currently have it setup is there is 1 Share called "Shares". Under this folder there are sub folders like, Music, Videos, Movies, etc. The way i wanted to control file access was to keep the owner of each folder as 'Root' and change the group to "SharesMusic", "SharesVideo", etc. (So essentially controlling the permissions via Linux itself)

Then since i wanted the permissions to be inheritable I set the sticky "GroupID" for each folder. So that when a file was created under music, it would inherit the group from the parent. This all works well but came across a problem today.

What i noticed was that when a file was created in one of the folders, and then moved, not copied to another folder it would maintain the group from the previous folder. But if the same file was copied from one folder to another, it would inherit the group permissions as expected.

Can anyone shed some light on what i am doing wrong and the possibilities of fixing it?

Thanks
Peter

thund3rstruck · 01-29-2012, 07:16 AM

Quote:

Originally Posted by cojaxx8

Hi Guys,

I have got a basic Ubuntu File server up and running at home which is acting as a Storage server. Just a few questions regarding inheritable file permissions.

The way i currently have it setup is there is 1 Share called "Shares". Under this folder there are sub folders like, Music, Videos, Movies, etc. The way i wanted to control file access was to keep the owner of each folder as 'Root' and change the group to "SharesMusic", "SharesVideo", etc. (So essentially controlling the permissions via Linux itself)

Then since i wanted the permissions to be inheritable I set the sticky "GroupID" for each folder. So that when a file was created under music, it would inherit the group from the parent. This all works well but came across a problem today.

What i noticed was that when a file was created in one of the folders, and then moved, not copied to another folder it would maintain the group from the previous folder. But if the same file was copied from one folder to another, it would inherit the group permissions as expected.

Can anyone shed some light on what i am doing wrong and the possibilities of fixing it?

Thanks
Peter

I'm no expert (a read over Linux file permissions is better suited to explain) but a copy operation actually creates a new file, which then inherits permissions where a move operation actually moves the file retaining the original properties. You can actually use the -p switch with copy to retain the original permissions (like mv) instead of treating the copies file as a new file. On all of my fileservers we use ACLs now because they're much better suited for the enterprise (setfacl/getfacl) so you might want to look into ACLs.

Hope this helps (even slightly!)

cojaxx8 · 01-29-2012, 04:40 PM

You took the time to reply so is definately helpful

I was reading some other articles and came across a guy who had the exact same problem and one of the suggestions was to use ACL's...I think!

I come from a windows background and in my mind it seems like a fairly simple concept but obviously I don't understand the full picture. (happy to learn new ways though

)

Can you recommend any good reference material for ACL configuration?

thund3rstruck · 01-29-2012, 07:10 PM

Quote:

Originally Posted by cojaxx8

Can you recommend any good reference material for ACL configuration?

Sure thing..
Using cp and mv with ACLs

cojaxx8 · 03-29-2012, 07:04 AM

Hmm, so i have been playing around with ACL recently (only just had a chance to do it) and have got most of it figured out, but still can't get certain things to work.

For example i set the default ACL on a folder. When i create a folder it applies that default ACL, but when i create a file it doesn't. Why would that be...?

thund3rstruck · 03-29-2012, 07:52 AM

Quote:

Originally Posted by cojaxx8

Hmm, so i have been playing around with ACL recently (only just had a chance to do it) and have got most of it figured out, but still can't get certain things to work.

For example i set the default ACL on a folder. When i create a folder it applies that default ACL, but when i create a file it doesn't. Why would that be...?

Not this this helps in the ACL department but you can achieve cheap inheritance by using the setguid bit.

Code:

# use getfacl/setfacl to establish proper a proper ACL model (the following example 
# demonstrates how to achieve file inheritance without ACLs (often referred to as 'cheap' inheritance)

# Set ownership for existing file hierarchy
sudo chown -R root:mgrphotos /media/share/disk1/Photos

# applying the setguid bit can allow for new files to "inherit" group membership from its parent (use this sparingly)
sudo chmod g+s /media/share/disk1/Photos
 
# verify the setguid bit
ls -all /media/share/disk1/Photos/
  drwxrwsr-x 24 root mgrphotos 4096 2012-03-01 15:02 Family
  ...

# all new files created in the path are now owned by the mgrphotos group.
# since this volume is mounted as 775, all members of mgrphotos share all
# the files (full control) they create on this volume.

Its been a while since I worked with ACLs in Unix but I recently employed the technique above for an environment that was not willing to implement the ACL model.

Hope that helps in some way...

Cheers!

jschiwal · 03-29-2012, 09:12 AM

I created a directory owned by root; set the regular and default acl to include my regular user.
~/temp/dir1/dir2

I created as root two files in ~/temp/dir1 and ~/temp/dir2. I was able to append to these files as a regular user.
Here is a file I created as root:

Code:

# ls -l temp/dir2/dir3/listing 
-rw-rw-r--+ 1 root root 949 Mar 29 00:56 temp/dir2/dir3/listing
# getfacl temp/dir2/dir3/listing 
# file: temp/dir2/dir3/listing
# owner: root
# group: root
user::rw-
user:jschiwal:rwx               #effective:rw-
group::r-x                      #effective:r--
mask::rw-
other::r--

One thing to be aware is that the filesystem needs to support ACLs and you need to use the "acl" mount option.

Another thing is if I had used "sudo ls >temp/dir2/dir3/listing", I would be the owner instead of root. the redirection is set up before the "sudo" command is run, not the "ls" command. Did you maybe do something similar? Remember to set the sticky bit to prevent one user from deleting a file owned by another user. There isn't a default sticky bit. If you want to prevent a user from deleting a file in a subdirectory, don't give that user write access on the subdirectory.

Make sure that "Inherit ACLS Yes" is in the share definition. I think it will map between Samba and Linux ACLs.
However, if your client doesn't support the cifs this may not be the case. If you use samba between two Linux hosts, mounting shares using the cifs filesystem works best. You can even run getfacl & setfacl.

I played around with setfacl & getfacl. I didn't try accessing a samba share from Windows (I don't run windows).
If the directory being shared is in your home directory, I'd recommend bind mounting your Public directory somewhere else like /srv/samba/public/username. Then you can share files, without needing to allow other users or groups read access to the parent directory (your home directory). You can also then user --remount option to add noexec & nodev options to help prevent mischief.

cojaxx8 · 04-08-2012, 08:51 AM

Hi Guys,

So I have been doing some more testing with this stuff and just don't think it is possible to achieve what I’m after. All of my testing has revealed that inheriting file permissions works when you COPY a file, but when you MOVE a file, it just keeps the same owner/group/ACL as the previous location.

As a test I created two separate shares in the Samba Config, changed a few settings such as "Force Group", "Directory Mode" and it works perfectly. I am able to copy files between share 1 and share 2 and the permissions get overwritten.

I really only wanted to have 1 Share and then control the security of each subfolders with groups, but I will just re think my strategy

, One thing is to create a kron job that runs a script that resets the permissions on a nightly basis.

I guess that is one thing i like about Windows File Sharing... lol

Cheers