[Last Call] Learn how to a build a cloud-first strategyRegister Now


setfacl for multiple users with individual folder permissions in a single share

Posted on 2007-10-09
Medium Priority
Last Modified: 2013-12-16
I have a Samba server integrated into active directory and acl installed.  The samba server works with active directory authentication it's the ACL and linux permissions I'm struggling with.

Here's the relevant Samba share definition, along with linux permissions and ACL listings


comment = Home Shares

path = /data/home

read only = No

create mask = 0770

directory mask = 0770

browsable = Yes

public = Yes

writeable = Yes

force create mode = 0770

force directory mode = 0770

force security mode = 0770

guest ok = no

inherit permissions = yes

nt acl support = yes

The problem I am having is with a share and the proper security to allow users to see the folder contents of /data/home but not be allowed into any one else's directory, only their own subdirectory.

/data/home contains 3 user subdirectories as such


/data/home needs (if possible) to be viewable by users
/data/home needs not allow anyone to write anything in this directory, only their own sub dir
each user to have rwx to their own /data/home/user directory

Here's what I have for permissions that almost work:
root@samba# ls -l /data
drwxrwx---+ 13 root root  4096 2007-10-09 09:50 home

root@samba# ls -l /data/home
drwxrwxr-x+ 2 root root 4096 2007-10-09 09:15 user1
drwxrwxr-x+ 2 root root 4096 2007-10-09 09:16 user2
drwxrwxr-x+ 2 root root 4096 2007-10-09 09:18 user3

root@samba# getfacl /data/home/

# file: home

# owner: root

# group: root







root@samba# getfacl /data/home/user1
# file: user1
# owner: root

# group: root







This setup allows the domain administrator in Windows to browse the "Home" share but no one else can browse it or access the directories assigned to them beneath it.  Here is the getfacl for the sub-directories but I think that the problem is with the /data/home security.

Any ideas what I am doing wrong or any suggestions how I can start over and create the proper linux group and user permissions, chmod and ACL?
Question by:avatech
LVL 41

Expert Comment

ID: 20045283
On /home I would expect you need the protection to set to user:DOMAIN\Users:r-x

The x allows users to access & pass the directory, the r allows them to make a listing.
And you probably want the mask also to be r-x to prevent writable directories by default. (but that's
more about personal taste).

Author Comment

ID: 20045491
That is a correct summary.  What is the syntax to change the mask for setfacl the man page and docs I've found for it is a bit cumbersome.  I've worked out how to assign the user and group permissions ok and I figured that hte mask rwx sounds like my problem.
LVL 16

Accepted Solution

xDamox earned 1200 total points
ID: 20046723
Granting an additional user read access
              setfacl -m u:lisa:r file

       Revoking write access from all groups and all named users (using the effective rights mask)
              setfacl -m m::rx file

       Removing a named group entry from a files ACL
              setfacl -x g:staff file

       Copying the ACL of one file to another
              getfacl file1 | setfacl --set-file=- file2

       Copying the access ACL into the Default ACL
              getfacl --access dir | setfacl -d -M- dir
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

LVL 16

Expert Comment

ID: 20046734

You may want to issue:

setfacl -m u:DOMAIN\User1:rx
LVL 41

Expert Comment

ID: 20051668
Well xDamox  answered the followup.
LVL 19

Assisted Solution

by:Gabriel Orozco
Gabriel Orozco earned 800 total points
ID: 20083631
I think you are looking at ACLs when you only need standard unix permissions for what you want.

just change this
force create mode = 0770
force directory mode = 0770
force security mode = 0770

to this
force create mode = 0700
force directory mode = 0700
force security mode = 0700

and make owner
root:root /home permissions 755
user1:root /data/home/user1 permissions 700
user2:root /data/home/user2 permissions 700
user3:root /data/home/user3 permissions 700

and that's it.

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses
Course of the Month17 days, 21 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question