Solved

Ubuntu File Server, Permission Problems !

Posted on 2012-12-31
10
396 Views
Last Modified: 2013-01-14
I have a remote file server running Ubuntu 10.04 but really and (I mean REALLY) struggling in getting the permissions set correctly..

I have users A,B,C,D.
User A is in groups admin and lxusers.
Users B,C,D are in the group lxusers.

I have a root share called 'Shared Folder' currently owner root & group is admin.  I want users to be able to create sub folders and files inside 'Shared Folder'. The user that creates folders and files will be the owner and those folders and files they create will inherit the parents group of admin. I only want the owner & members of the admin group to be able to delete any of the folders or files created, I am happy enough for any of the lxusers group to read anything thats created by any user.

This so far appears to be working to a point, but I do have one problem that is causing me real grief. If any user in the lxusers group creates a folder then files inside that folder, other users can delete the files but not the folder.. Just can't work out where I have gone wrong, advice to resolve would be appreciated..

Entry in smb.conf:-

[Shared Folder]
      browseable = yes
      writeable = yes
      invalid users = root
      path = /mnt/raid/Shared
      comment = Shared folder for All Users
      valid users = @admin,@lxusers
        create mode = 0774
        directory mode = 0774
        force group = admin

Kind Regards

John
DirPermissions.jpg
FilePermissions.jpg
0
Comment
Question by:mrmad1966
  • 6
  • 4
10 Comments
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 38732685
What are the permissions on the folder?
You are forcing the files to be created with the group admin
You should use setfacl to include.
Not you would need to periodically rerun the setfacl directive to attach to changed files.

Group permissions of 7 (rwx) on file creation.  What is it you want? Do you want files created to have permissions of 644?
You can have directory 0770 while create mode of 750?

You should create yet another test share and try to vary your settings.
0
 
LVL 1

Author Comment

by:mrmad1966
ID: 38732734
Arnold, thank for the help.

The result of ls -l on the Shared folder is:-
drwxrwsr-T 45 root admin    4096 2012-12-31 13:48 Shared

HTH
0
 
LVL 77

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 38733123
Ok, getfacl Shared.

The group permission of 7 is what lets users delete files since any valid user runs with admin group membership.
0
 
LVL 1

Author Comment

by:mrmad1966
ID: 38733294
Arnold, I have now installed acl. Here I post the output of getfacl Shared.
I have done as you suggested, setup a new share to play with. If I do not hear any more from you. Happy New Year .....
John
putty.log
0
 
LVL 1

Author Comment

by:mrmad1966
ID: 38733450
Arnold, The new share I created to play with is called NewSharedFolder.
UserA (thats me) is a member of the admin group I can confirm I can access the folder just fine. Users B,C,D  do not now have access to the folder..

I post another result of getfacl for the NewSharedFolder..

Thank you
putty.log
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 77

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 38733518
Have a happy new year as well.

At this point the getfacl repors the default (chmod 775 for root:admin)
Make sure when you define this new share, do not force admin as the default group for access while including your valid users @admin,@lxusers

The groupIDof(group) needs to be replaced with the numeric value of the group based on /etc/group

setfacl -R -m g:groupIDof(lxusers):rwx NewSharedFolder


The above will add read/write/execute rights
-R means apply the change recursively.

You would need to schedule the rerunning of this on a regular basis to update rights.
0
 
LVL 1

Author Comment

by:mrmad1966
ID: 38734140
Thank you Arnold. I have implemented this but one problem, the lxuser group can now indeed write folders and files to this NewSharedFolder but there seems to be no sticky set ie any member of the lxusers group can delete any other users folder/files. I wish only the owner AND a member of the admin group be allowed to delete folders and files.

Sorry for the headache !
0
 
LVL 77

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 38734389
If the lxuser group member needs only the ability to read, change the setfacl to read/execute only for this group
setfacl -R -m g:gid_lxusers:rx NewShareFolder

This way lxusers can read, but can not write nor delete.

Filesystem level restriction do not have the functionality you want, you need to look at document management system that will have the granular control I.e. will allow creation of files, but not deletion of other users files.
0
 
LVL 1

Author Comment

by:mrmad1966
ID: 38734817
Thanks... Need to go play now !
0
 
LVL 1

Author Closing Comment

by:mrmad1966
ID: 38777249
Thank you
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction Regular patching is part of a system administrator's tasks. However, many patches require that the system be in single-user mode before they can be installed. A cluster patch in particular can take quite a while to apply if the machine…
The purpose of this article is to demonstrate how we can use conditional statements using Python.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now