| 1 |
On 07/05/2016 17:12, hw wrote: |
| 2 |
> Michael Orlitzky schrieb: |
| 3 |
>> On 04/23/2016 10:42 AM, hw wrote: |
| 4 |
>>> |
| 5 |
>>> Has it become entirely impossible to share a directory tree and the |
| 6 |
>>> files in it with multiple users when Linux is involved? This should be |
| 7 |
>>> a very simple thing to accomplish. |
| 8 |
>>> |
| 9 |
>> |
| 10 |
>> It was never possible. It's ridiculous, but there it is. The UNIX |
| 11 |
>> permissions model is too simple. ACLs were bolted on top, but most tools |
| 12 |
>> retain legacy behavior with respect to group masks that breaks default |
| 13 |
>> ACLs. You're seeing that same problem with your Samba share. |
| 14 |
>> |
| 15 |
>> Filesystem permissions are one thing that Windows got right. There's |
| 16 |
>> ongoing work to bring that model to Linux, |
| 17 |
>> |
| 18 |
>> https://en.wikipedia.org/wiki/Richacls |
| 19 |
>> |
| 20 |
>> but they're going to make the same mistake again[0] and allow the group |
| 21 |
>> bits to act as a mask. That means mkdir, tar, cp, 7z -- anything that |
| 22 |
>> tries to mess with group bits -- isn't going to work. They'll be DOA |
| 23 |
>> just like POSIX ACLs were. |
| 24 |
>> |
| 25 |
>> I think you can manage this with incron and POSIX ACLs. Instead of |
| 26 |
>> running "chmod g+w", use sys-apps/apply-default-acl to reset the |
| 27 |
>> permissions to the defaults that you set. |
| 28 |
>> |
| 29 |
>> I wrote apply-default-acl to solve exactly this problem. You just need |
| 30 |
>> to figure out a way to run it whenever things get screwed up. Which |
| 31 |
>> means, whenever a file or directory is created. |
| 32 |
>> |
| 33 |
>> |
| 34 |
>> [0] http://www.bestbits.at/richacl/man/richacl.7.txt |
| 35 |
>> |
| 36 |
>> Changing the file mode permission bits: |
| 37 |
>> |
| 38 |
>> When changing the file mode permission bits with chmod(1), the |
| 39 |
>> owner, group, and other file permission bits are set to the |
| 40 |
>> permission bits in the new mode... In addition, the masked and |
| 41 |
>> write_through ACL flags are set. This has the effect of limiting the |
| 42 |
>> permissions granted by the ACL to the file mode permission bits... |
| 43 |
>> |
| 44 |
>> |
| 45 |
> |
| 46 |
> Hm, I'm confused. Is it not possible to somehow force |
| 47 |
> samba to set a user and a group as owners of a file or |
| 48 |
> of a directory which is being created on a share? |
| 49 |
> |
| 50 |
> If that was possible, couldn't I mount that share with |
| 51 |
> the uid and gid of the owner and group samba enforces, |
| 52 |
> which would then allow multiple local users to access |
| 53 |
> the files and directories on that share as one? |
| 54 |
|
| 55 |
|
| 56 |
Now you've added a whole new wrinkle that was never mentioned before - |
| 57 |
samba. Yes, samba can enforce the permissions you want on file system |
| 58 |
objects in shares it controls. To be accurate, it runs as root and |
| 59 |
presents the perms you want to the user, but only when accessing the |
| 60 |
files via samba. Look at these options in smb.conf |
| 61 |
|
| 62 |
create mask = 664 |
| 63 |
force create mode = 664 |
| 64 |
security mask = 664 |
| 65 |
force security mode = 664 |
| 66 |
directory mask = 2775 |
| 67 |
force directory mode = 2775 |
| 68 |
directory security mask = 2775 |
| 69 |
force directory security mode = 2775 |
| 70 |
|
| 71 |
With this you can achieve what you want, but you have to ensure that |
| 72 |
samba is the only way the users can access the files. |
| 73 |
|
| 74 |
I'm assuming you completely and correctly understand umask. |
| 75 |
|
| 76 |
|
| 77 |
-- |
| 78 |
Alan McKinnon |
| 79 |
alan.mckinnon@×××××.com |
Archives