noci:
I think the ACL you suggested is what I am looking for, but I am failing at getting it to work exactly the way I need. I am doing more testing/learning...will let you know if I get it working. Thanks.
Main Topics
Browse All Topics
Loading Advertisement...
Question
Linux inherit file/folder permissions
I have fedora core 10 and smb. I am trying to do permissions where they are inherited from the parent folder...but it appears i can only force per-user permissions or manually run commandline scripts to fix the permissions every time i copy something over. this is not acceptable, i want the permissions set automatically. how can i do this?
my example - how do i accomplish this?:
i have my /share folder. there are 3 users allowed on the server: user1, user2, media. the /share folder has a bunch of subdirectories which include a personal folder for user1 and a personal folder for user2. user1 and user2 are the owners of their own folders and would have read/write access and media would have no access. user1 and user2 could not get into each others folder...only their own. media cant touch the user1 and user2 folders at all. now, for all of the remaining subfolders in /share... user1 and user2 would have full read/write access and media would have read/execute access only. ***the tricky part. i can use the commandline and set this up all nice. but when i add new files/folders then it gets all messed up and needs editing again. i can force umask and permissions but this is no good because it only works for the user1 area and not all those other directories or vise versa. it wont work perfectly for both. how can i make this work?
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Subscribe now for full access to Experts Exchange and get
Instant Access to this Solution
- Plus...
- 30 Day FREE access, no risk, no obligation
- Collaborate with the world's top tech experts
- Unlimited access to our exclusive solution database
- Never be left without tech help again
Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.
- "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
- "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
- "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.
See what Experts Exchange can do for you.
Got a question?
We've got the answer.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
Need individual assistance?
Our experts are ready to help.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Want to learn from the best?
Read articles from industry experts.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Working on a long term project?
Store your work and research.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
What Makes Experts Exchange Unique?
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Trusted by the world's most respected brands.
Faithfully serving IT professionals since 1996.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Free Tech Articles
-
WARNING: 5 Reasons why you should NEVER fix a computer for free.
It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
-
SCCM OSD Basic troubleshooting
SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
-
Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
-
Create a Win7 Gadget
This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
-
Outlook continually prompting for username and password
There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
-
Backup Exchange 2010 Information Store using Windows Backup
There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...
Cloud Class Webinars
- Avoiding Bugs in Microsoft Access
Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
- Top 10 Best New Features in Visio 2010
Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
- IT Consultant Business Secrets Revealed
Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
- Disaster Recovery and Business Continuity
Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
- Organize Your Visio Diagrams with Containers and Lists
Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
- How to Us Objects, Properties, Events and Methods in Microsoft Access
Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...
Join the Community
Give a Little. Get a Lot.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Answers
To get ACLs working on a Samba server, you need to first enable ACLs on the filesystem itself (usually an option in fstab), then you also need to enable them in Samba -- which is a simple
nt acl support = yes
in each share declaration you want it active for in your smb.conf file.
But you'll need to be aware of some limitations -- see
http://www.samba.org/samba
Good Luck!
Dan
IT4SOHO
it4soho:
The ACL's I meant are Linux ACL's not NT's ones. They work irrespectively from the SAMBA option.
I have a comparable problem with courier IMAP with shared folders. The courier imap daemon has no knwoledge of ACL's
You do need the packages installed as well as the options enables as it2soho states (fstab options)
Samba only adds a way translate between NT's ACL's & Unix's ACL's.
The tools are getfacl, setfacl, ACL's are a special case of the POSIX attributes managed with getfattr, setfattr. Support for ACL's exists in ext[234], xfs and reiserfs by addings the attributes to the filesystem data structures.
The attr & acl packages (on on most systems) supply the tooling & libraries required.
the line in fstab should contain the acl options in the options field
The Samba FAQ posted above tells you how to enable & setup ACLs on your *nix filesystem AND how to enable it in Samba...
If the shares are intended to be controlled entirely by Windows clients, I STRONGLY urge you NOT to try to manually setup ACL entries with setfacl on the *nix system. Instead, create your access rules ON THE WINDOWS clients.
If you start trying to do it manually on the *nix system you can get confused VERY RAPIDLY with the winbindd allocated group ids!
Just my 2-cents worth...
Dan
IT4SOHO
I dont think my smb is following the ACL rules either. Here is me making a directory in linux and then on samba. linux follows the rules, samba does not. I tried a bunch of different samba configs and restarted the smb service between edits, no luck.
linux:
user::rwx
group::r-x #effective:---
mask::---
other::---
default:user::rwx
default:group::r-x #effective:---
default:mask::---
default:other::---
samba:
user::rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:group::r-x #effective:---
default:mask::---
default:other::---
well that's just defaults...
/share/user1dir.acl should contain:
user::rwx
user:user1:rwx
group::---
mask::rwx
other::---
default:user::rwx
default:user:user1:rwx
default:group::---
default:mask::rwx
default:other::---
/share/user2dir.acl should contain:
user::rwx
user:user2:rwx
group::---
mask::rwx
other::---
default:user::rwx
default:user:user2:rwx
default:group::---
default:mask::rwx
default:other::---
/share/folder123dir.acl should contain:
user::rwx
user:user2:rwx
user:user2:rwx
user:media:r-x
group::---
mask::rwx
other::---
default:user::rwx
default:user:user1:rwx
default:user:user2:rwx
default:user:media:rwx
default:group::---
default:mask::rwx
default:other::---
setfacl -M user1dir.acl user1
setfacl -M user2dir.acl user2
setfacl -M folder123dir.acl user1
Note:
you dont want mask to be --- as that would remove all access. even if a special ACL exists for it.
to apply the acl to files, you have to remove all the default entries, they are only for directories
the group and other are getting read access for user1's folder. this is allowing the media user to read...but the default is set to have the user with no access. maybe i am missing something? if i make the folder in linux, it goes correct...but in samba it gives read access
linux:
user::rwx
user:user1:rwx
group::---
mask::rwx
other::---
default:user::rwx
default:user:user1:rwx
default:group::---
default:mask::rwx
default:other::---
samba:
user::rwx
user:user1:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:user1:rwx
default:group::---
default:mask::rwx
default:other::---
Who is the owner/group of the file, (with getfacl the part after the # marks).
with ls -l they are after the protection mask (ending in +).
Are the users also assigned to the group on the file
If media is the owner of a file it allways has read access (or at least control, it can change the access mask).
It might be a problem with group/user mapping within samba / NT domain.
If you have separate groups in one domain they should be separate in the other domain too.
When you run getfacl, you need to think like a linux system -- which is to say, look for "a set of permissions" that you can apply to this user for this file. Once you find one (ANY one), stop looking and apply the ONE that you found.
This is why, for example - using traditional POSIX permissions - if a user "usera" belongs to the group "groupa" and a file "filea" has user ownership by "userb" and group ownership by "groupa" and permissions rw-r--rw-, then usera will NOT have any write permission to filea -- even though the "everybody" write permission is allowed!
Here's the "thought process" involved. "Looking for the FIRST permission that applies"
- Is the user the owner of the file? <NO> If yes, STOP and use the user permissions
- Is the user a member of the group-owner if the file? <YES> If yes, STOP and use the group permissions
- Otherwise, use the "other" (aka: everyone or all) permissions
As you can see, we STOP at the group permissions because of the membership in the group "groupa", which is the group-owner of the file.
Now, in the case of ACL's you need to remember the rule, albeit now expanded for the ACLs. Since you've left out some very important details in what you've posted, I'm going to provide my own example.
Let's say I create a file at /home/public, owned by usera, group groupa and with permissions 666 (standard read/write for all -- it is named PUBLIC!)
OK -- just for grins, let's look at the output of getfacl:
getfacl /home/public
getfacl: Removing leading '/' from absolute path names
# file: home/public
# owner: usera
# group: groupa
user::rw-
group::rw-
other::rw-
NOTE how the output of getfacl lists user, group, and other -- so if you just progress down (although you do have to look above to see which user is THE user, and which group is THE group).
OK, so let's say we have a group called media who is NOT supposed to have write access... we'd do this
setfacl -m g:media:r-- /home/public
And when we check our work, we see this:
getfacl /home/public
getfacl: Removing leading '/' from absolute path names
# file: home/public
# owner: usera
# group: groupa
user::rw-
group::rw-
group:media:r--
other::rw-
Now let's be clear -- if usera belongs to the group media, they STILL have rw- permissions (user permissions come before group permissions so we actually never even checked for the group permissions at all!)
So, next, let's say that we have a special media person, user-id of director, that - despite being in the group media - needs write access... we'd do this
setfacl -m u:director:rw- /home/public
And when we check our work, we see this:
getfacl /home/public
getfacl: Removing leading '/' from absolute path names
# file: home/public
# owner: usera
# group: groupa
user::rw-
user:director:rw-
group::rw-
group:media:r--
other::rw-
Now, when the user director accesses the file (step through this), the thought proccess in *nix is:
- Is the user the owner of the file? <NO> If yes, STOP and use the user permissions
- Is the user "director"? <YES> If yes, STOP and use the permissions for director
- need I go on? So, you see I never even look at the permissions for the groups (much less other).
OK, so the confusing part comes in when we have "conflicts" -- and it will always be a group conflict (a user can have only 1 user-id, but can belong to multiple groups...
So, let's say we have another group, kids, that we want to remove ALL access for... so we'd do this
setfacl -m g:kids:--- /home/public
And when we check our work, we see this:
getfacl /home/public
getfacl: Removing leading '/' from absolute path names
# file: home/public
# owner: usera
# group: groupa
user::rw-
user:director:rw-
group::rw-
group:media:r--
group:kids:---
other::rw-
So, along comes user culkin (as in Macaulay Culkin -- Holywood actor and member of the media group, who for the purposes of this exercise, is still a KID) who therefore happens to belong to BOTH the group kids AND the group media... now follow along (step through this), the thought proccess in *nix is:
- Is the user the owner of the file? <NO> If yes, STOP and use the user permissions
- Is the user "director"? <NO> If yes, STOP and use the permissions for director
- Is the user in the group of the file (groupa)? <NO> If yes, STOP and use the group permissions
- Is the user in the group media? <YES> If yes, STOP and use the group permissions for media
- I do NOT go on to see that he is also a member of the group KID... so those permissions will not apply
So, the operative question is "How do I make the REMOVE permissions of KID supercede the READ/WRITE permissions of media?" And the answer isn't a good one -- you make note that NEW permissions are added to the "bottom" of the list (new users to the bottom of the users list, new groups to the bottom of the groups list)... so you have to create a "heirarchy" (which ones come first). Then, you need to remove ALL of the group permissions and re-add them in the heirarchical order you decided upon. (not easy, and kind of brute-force, but the only way *I* know of).
Now, on to the issue of inherited ACLs -- Just as in getting ACLs to work at all in Samba (you had to enable ACLs in your filesystem (explicitly in ext3, it's already on with XFS) AND in your samba config file, you similarly need to separately enable ACL inheritance in Samba... in your GLOBAL section, add these lines:
inherit permissions = Yes
inherit acls = Yes
I hope that this helps explain the behaviors you're seeing as well as how to get MS Inheritance working.
Dan
IT4SOHO
First, you need to coordinate the mask & mode entries better, and drop the security mask entries ...
e.g.:
[RAID]
path = /RAID
writeable = yes
browseable = yes
valid users = media, usera
create mask = 0760
directory mask = 0770
force create mode = 0760
force directory mode = 0770
NOTE: The file create & force create modes are 760, not 770 because the execute bits are actually mapped to the DOS file permissions as follows:
user execute permission on UNIX = Archive attribute on DOS
group execute permission on UNIX = System attribute on DOS
other execute permission on UNIX = Hidden attribute on DOS
Thus, if you created the file a.dat and gave it permissions 770, your windows clients would think it was a system file -- not likely what you wanted.
ALSO NOTE: These settings apply only to files that are CREATED in the share by WINDOWS clients. Linux users are governed by the internal Linux UMASK values.
I hope this helps!
Dan
IT4SOHO
>>ALSO NOTE: These settings apply only to files that are CREATED in the share by WINDOWS clients. Linux users are governed by the internal Linux UMASK values.
how can i force linux to use a umask or something set on the server, like how windows works? I am using a mac and its doing its own 755 deal and ignoring what I set on the server. I cant go around to each client and edit their umask on each comptuer
umask is set by running the umask program.
most common use (from /etc/profile, or ~/.profile): umask 0022
meaning remove the other & group write bits.
to remove world access and leave the group & owner untouched use: umask 0007
Now the actual of the mask depends on the program doing the create call it that uses 0777 as a create protection mask
then the result would be resp. 0755 & 0770 for previous mentioned umasks.
If a program makes a readonly file (0444) then the would be resp.: 0444 & 0440
a r/w file would become 0644 resp 0660.
The umask is a per process thing, and is inherrited by children, so the umask command is actualy a shell local command.
AFAIK the umask value can be set using pam_umask in the correct pam.d profile for the sessions where you want it.
like with the following line in the right profile.
session optional pam_umask.so umask=0022
UMASK is a linux thing.... which means that it could be affecting your samba settings, but it is not likely as UMASK is supposed to operate only when the creating program (in your case, samba) does NOT request specific permissions.
For Mac clients, you probably shouldn't be using samba, but rather NFS -- Mac OS-X is built on a type of BSD Linux, which means that if your clients are Macs, you don't need samba at all. However, if you're in a mixed environment, forcing the Macs to act like Windows would at least force a common interface (samba).
However, your assertion that your Mac's own UMASK value would affect files created on the samba server (created through samba) is not valid. When using the samba interface, the samba "rules" would "override" the client-side UMASK values.
The force, mask, & mode options to samba are well tested. Assuming you're using samba later than 2.x! More likely, you're not correctly restarting Samba after you're changing the config file... instead of reloading it, please try stopping it, searching for any "latent" processes (and stopping those), and then restarting Samba.... something like:
service samba stop
pkill smbd
pkill nmbd
ps -aefww | grep mbd
(if any remaining processes)
pkill -9 smbd
pkill -9 nmbd
(then)
service samba start
Please report back if this works or not!
Good Luck!
Dan
IT4SOHO
Interesting -- the Samba Documentation has this to say about "unix extensions"
This boolean parameter controls whether Samba implements the CIFS UNIX extensions, as defined by HP. These extensions enable Samba to better serve UNIX CIFS clients by supporting features such as symbolic links, hard links, etc... These extensions require a similarly enabled client, and are of no current use to Windows clients.
So, my guess is that something else fixed it... so long as it is fixed, you may want to consider closing the question.
Dan
IT4SOHO
BTW: Looking at the ORIGINAL question, I would posit that you don't even need ACLs:
user1 belongs to the groups user1 (from /etc/passwd) and users (from /etc/groups)
user2 belongs to the groups user2 (from /etc/passwd) and users (from /etc/groups)
media belongs to the group media
/share/user1 is owned by user1 & belongs to group user1 with permissions set to "drwxrwx---"
/share/user2 is owned by user2 & belongs to group user2 with permissions set to "drwxrwx---"
/share/folder1 is owned by anyone OTHER than media & belongs to the group users. Permissions are "drwxrwxr-x"
Then, from your question:
user1 would see:
/share/user1 rwx by way of user rights on the folder (user1 is the owner)
/share/user2 --- by way of other rights on the folder (user1 is neither owner, nor a member of group user2)
/share/folder1 rwx by way of group rights on the folder (user1 belongs to users)
user2 would see:
/share/user1 --- by way of other rights on the folder (user2 is neither owner, nor a member of group user1)
/share/user2 rwx by way of user rights on the folder (user2 is the owner)
/share/folder1 rwe by way of group rights on the folder (user2 belongs to users)
media would see:
/share/user1 --- by way of other rights on the folder (media is neither owner, nor a member of group user1)
/share/user2 --- by way of other rights on the folder (media is neither owner, nor a member of group user2)
/share/folder1 r-x by way of other rights on the folder (media is neither owner, nor a member of group users)
In my personal experience, Windows users use ACLs far more often than they need to because they don't think out the logic. While the result sometimes makes things easier to see and understand, the result is also that there are often unintended consequences because they don't bother to think the logic out!
Now -- for inheritance sake, let's look at the 3 folders (I removed folder2 & folder 3, because they're just duplicates of folder1).
- /share/user1 is accessible by user1 only - because the ONLY member of the group user1 is user1, and other permissions are ---. As a result, nothing really needs to be done. Any file created within will be owned by user1 by default, and no other user will be able to get to any of those files because they won't be able to get through the directory.
- /share/user2 is in the same boat, but for user2
- /share/folder1 however, will need a very slight bit of tweaking -- we want any new files created to belong to the users group, so we should turn on the UNIX SGID attribute (chmod g+s /share/folder1). The result is that an ls -l on the folder will now yield results that look like: "drwxrwsr-x" -- note the s where the group x would have been. This means that all files created in this folder will belong to the group users (because that's the default user for the folder). It ALSO means that any new FOLDERS created in this folder will have the SGID attribute turned on by default.
NOTE however, that if you're doing this after the fact, you'll want to run the following 2 commands:
chgrp -R users /share/folder1
find /share/folder1 -type d -exec chmod 2775 '{}' \;
These two lines will a) change the group membership of every file under folder1 to users, and b) turn on the sgid bit (after group membership has been changed) for any and all DIRECTORIES under folder1. (This chmod example shows the turning on of the SGID bit with the 2 in front of the 775 (rwxrwxr-x) setting).
Good Luck!
Dan
IT4SOHO
Hehehehe... I completely understand why "unix extensions = no" was useful (and necessary) now... YOU ARE USING A MAC!
Please -- in the future, when reporting a server problem, DON'T forget to mention that you're using a Mac! Even Mac and Linux fans (like me) often ASSUME that you're talking about a Windoze client when you don't say anything else.
Knowing that the client system was a Mac at the beginning of trying to solve this would have likely resulted in a MUCH faster resolution!
You DID know that MacOS X is a version of Linux (more correctly, BSD Unix)... right? Thus, the "unix extensions = no" option DID apply to your system!
While I apologize for ASSUMING your client was a PC, I believe you share in the fault in this one!
Still, I'm glad you found a resolution!
Dan
IT4SOHO
3 Ways to Join
Business Accounts
- Perfect for organizations
- Multiple users
- Save over 36%
- Create a Business Account
Answer for Membership
- Earn free access
- Showcase your knowledge
- No credit card required
- Sign Up to Answer
Loading Advertisement...
by: nociPosted on 2009-08-19 at 05:16:05ID: 25131708
you need ACL's to do this. THen you can setup a default acl on a directory that is applied to all new files inside that directory . This is including owner & access rights.
Also it is possible to assign various different access rights to more than one group or user.
http://www.suse.de/~agruen