Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have got a basic Ubuntu File server up and running at home which is acting as a Storage server. Just a few questions regarding inheritable file permissions.
The way i currently have it setup is there is 1 Share called "Shares". Under this folder there are sub folders like, Music, Videos, Movies, etc. The way i wanted to control file access was to keep the owner of each folder as 'Root' and change the group to "SharesMusic", "SharesVideo", etc. (So essentially controlling the permissions via Linux itself)
Then since i wanted the permissions to be inheritable I set the sticky "GroupID" for each folder. So that when a file was created under music, it would inherit the group from the parent. This all works well but came across a problem today.
What i noticed was that when a file was created in one of the folders, and then moved, not copied to another folder it would maintain the group from the previous folder. But if the same file was copied from one folder to another, it would inherit the group permissions as expected.
Can anyone shed some light on what i am doing wrong and the possibilities of fixing it?
Distribution: Fedora 18, Slackware64 13.37, Windows 7/8
Posts: 386
Rep:
Quote:
Originally Posted by cojaxx8
Hi Guys,
I have got a basic Ubuntu File server up and running at home which is acting as a Storage server. Just a few questions regarding inheritable file permissions.
The way i currently have it setup is there is 1 Share called "Shares". Under this folder there are sub folders like, Music, Videos, Movies, etc. The way i wanted to control file access was to keep the owner of each folder as 'Root' and change the group to "SharesMusic", "SharesVideo", etc. (So essentially controlling the permissions via Linux itself)
Then since i wanted the permissions to be inheritable I set the sticky "GroupID" for each folder. So that when a file was created under music, it would inherit the group from the parent. This all works well but came across a problem today.
What i noticed was that when a file was created in one of the folders, and then moved, not copied to another folder it would maintain the group from the previous folder. But if the same file was copied from one folder to another, it would inherit the group permissions as expected.
Can anyone shed some light on what i am doing wrong and the possibilities of fixing it?
Thanks
Peter
I'm no expert (a read over Linux file permissions is better suited to explain) but a copy operation actually creates a new file, which then inherits permissions where a move operation actually moves the file retaining the original properties. You can actually use the -p switch with copy to retain the original permissions (like mv) instead of treating the copies file as a new file. On all of my fileservers we use ACLs now because they're much better suited for the enterprise (setfacl/getfacl) so you might want to look into ACLs.
You took the time to reply so is definately helpful I was reading some other articles and came across a guy who had the exact same problem and one of the suggestions was to use ACL's...I think!
I come from a windows background and in my mind it seems like a fairly simple concept but obviously I don't understand the full picture. (happy to learn new ways though )
Can you recommend any good reference material for ACL configuration?
Hmm, so i have been playing around with ACL recently (only just had a chance to do it) and have got most of it figured out, but still can't get certain things to work.
For example i set the default ACL on a folder. When i create a folder it applies that default ACL, but when i create a file it doesn't. Why would that be...?
Distribution: Fedora 18, Slackware64 13.37, Windows 7/8
Posts: 386
Rep:
Quote:
Originally Posted by cojaxx8
Hmm, so i have been playing around with ACL recently (only just had a chance to do it) and have got most of it figured out, but still can't get certain things to work.
For example i set the default ACL on a folder. When i create a folder it applies that default ACL, but when i create a file it doesn't. Why would that be...?
Not this this helps in the ACL department but you can achieve cheap inheritance by using the setguid bit.
Code:
# use getfacl/setfacl to establish proper a proper ACL model (the following example
# demonstrates how to achieve file inheritance without ACLs (often referred to as 'cheap' inheritance)
# Set ownership for existing file hierarchy
sudo chown -R root:mgrphotos /media/share/disk1/Photos
# applying the setguid bit can allow for new files to "inherit" group membership from its parent (use this sparingly)
sudo chmod g+s /media/share/disk1/Photos
# verify the setguid bit
ls -all /media/share/disk1/Photos/
drwxrwsr-x 24 root mgrphotos 4096 2012-03-01 15:02 Family
...
# all new files created in the path are now owned by the mgrphotos group.
# since this volume is mounted as 775, all members of mgrphotos share all
# the files (full control) they create on this volume.
Its been a while since I worked with ACLs in Unix but I recently employed the technique above for an environment that was not willing to implement the ACL model.
One thing to be aware is that the filesystem needs to support ACLs and you need to use the "acl" mount option.
Another thing is if I had used "sudo ls >temp/dir2/dir3/listing", I would be the owner instead of root. the redirection is set up before the "sudo" command is run, not the "ls" command. Did you maybe do something similar? Remember to set the sticky bit to prevent one user from deleting a file owned by another user. There isn't a default sticky bit. If you want to prevent a user from deleting a file in a subdirectory, don't give that user write access on the subdirectory.
Make sure that "Inherit ACLS Yes" is in the share definition. I think it will map between Samba and Linux ACLs.
However, if your client doesn't support the cifs this may not be the case. If you use samba between two Linux hosts, mounting shares using the cifs filesystem works best. You can even run getfacl & setfacl.
I played around with setfacl & getfacl. I didn't try accessing a samba share from Windows (I don't run windows).
If the directory being shared is in your home directory, I'd recommend bind mounting your Public directory somewhere else like /srv/samba/public/username. Then you can share files, without needing to allow other users or groups read access to the parent directory (your home directory). You can also then user --remount option to add noexec & nodev options to help prevent mischief.
So I have been doing some more testing with this stuff and just don't think it is possible to achieve what I’m after. All of my testing has revealed that inheriting file permissions works when you COPY a file, but when you MOVE a file, it just keeps the same owner/group/ACL as the previous location.
As a test I created two separate shares in the Samba Config, changed a few settings such as "Force Group", "Directory Mode" and it works perfectly. I am able to copy files between share 1 and share 2 and the permissions get overwritten.
I really only wanted to have 1 Share and then control the security of each subfolders with groups, but I will just re think my strategy , One thing is to create a kron job that runs a script that resets the permissions on a nightly basis.
I guess that is one thing i like about Windows File Sharing... lol
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.