avatech
asked on
setfacl for multiple users with individual folder permissions in a single share
I have a Samba server integrated into active directory and acl installed. The samba server works with active directory authentication it's the ACL and linux permissions I'm struggling with.
Here's the relevant Samba share definition, along with linux permissions and ACL listings
[Home]
comment = Home Shares
path = /data/home
read only = No
create mask = 0770
directory mask = 0770
browsable = Yes
public = Yes
writeable = Yes
force create mode = 0770
force directory mode = 0770
force security mode = 0770
guest ok = no
inherit permissions = yes
nt acl support = yes
The problem I am having is with a share and the proper security to allow users to see the folder contents of /data/home but not be allowed into any one else's directory, only their own subdirectory.
/data/home contains 3 user subdirectories as such
/data/home/user1
/data/home/user2
/data/home/user3
/data/home needs (if possible) to be viewable by users
/data/home needs not allow anyone to write anything in this directory, only their own sub dir
each user to have rwx to their own /data/home/user directory
Here's what I have for permissions that almost work:
root@samba# ls -l /data
drwxrwx---+ 13 root root 4096 2007-10-09 09:50 home
root@samba# ls -l /data/home
drwxrwxr-x+ 2 root root 4096 2007-10-09 09:15 user1
drwxrwxr-x+ 2 root root 4096 2007-10-09 09:16 user2
drwxrwxr-x+ 2 root root 4096 2007-10-09 09:18 user3
root@samba# getfacl /data/home/
# file: home
# owner: root
# group: root
user::rwx
user:DOMAIN\Administrator: rwx
group::rwx
group:DOMAIN\Users:r--
mask::rwx
other::---
root@samba# getfacl /data/home/user1
# file: user1
# owner: root
# group: root
user::rwx
user:DOMAIN\Administrator: rwx
user:DOMAIN\User1:rwx
group::r-x
mask::rwx
other::r-x
This setup allows the domain administrator in Windows to browse the "Home" share but no one else can browse it or access the directories assigned to them beneath it. Here is the getfacl for the sub-directories but I think that the problem is with the /data/home security.
Any ideas what I am doing wrong or any suggestions how I can start over and create the proper linux group and user permissions, chmod and ACL?
Here's the relevant Samba share definition, along with linux permissions and ACL listings
[Home]
comment = Home Shares
path = /data/home
read only = No
create mask = 0770
directory mask = 0770
browsable = Yes
public = Yes
writeable = Yes
force create mode = 0770
force directory mode = 0770
force security mode = 0770
guest ok = no
inherit permissions = yes
nt acl support = yes
The problem I am having is with a share and the proper security to allow users to see the folder contents of /data/home but not be allowed into any one else's directory, only their own subdirectory.
/data/home contains 3 user subdirectories as such
/data/home/user1
/data/home/user2
/data/home/user3
/data/home needs (if possible) to be viewable by users
/data/home needs not allow anyone to write anything in this directory, only their own sub dir
each user to have rwx to their own /data/home/user directory
Here's what I have for permissions that almost work:
root@samba# ls -l /data
drwxrwx---+ 13 root root 4096 2007-10-09 09:50 home
root@samba# ls -l /data/home
drwxrwxr-x+ 2 root root 4096 2007-10-09 09:15 user1
drwxrwxr-x+ 2 root root 4096 2007-10-09 09:16 user2
drwxrwxr-x+ 2 root root 4096 2007-10-09 09:18 user3
root@samba# getfacl /data/home/
# file: home
# owner: root
# group: root
user::rwx
user:DOMAIN\Administrator:
group::rwx
group:DOMAIN\Users:r--
mask::rwx
other::---
root@samba# getfacl /data/home/user1
# file: user1
# owner: root
# group: root
user::rwx
user:DOMAIN\Administrator:
user:DOMAIN\User1:rwx
group::r-x
mask::rwx
other::r-x
This setup allows the domain administrator in Windows to browse the "Home" share but no one else can browse it or access the directories assigned to them beneath it. Here is the getfacl for the sub-directories but I think that the problem is with the /data/home security.
Any ideas what I am doing wrong or any suggestions how I can start over and create the proper linux group and user permissions, chmod and ACL?
ASKER
That is a correct summary. What is the syntax to change the mask for setfacl the man page and docs I've found for it is a bit cumbersome. I've worked out how to assign the user and group permissions ok and I figured that hte mask rwx sounds like my problem.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi,
You may want to issue:
setfacl -m u:DOMAIN\User1:rx
You may want to issue:
setfacl -m u:DOMAIN\User1:rx
Well xDamox answered the followup.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The x allows users to access & pass the directory, the r allows them to make a listing.
And you probably want the mask also to be r-x to prevent writable directories by default. (but that's
more about personal taste).