1 |
Alan McKinnon schrieb: |
2 |
> On 07/05/2016 17:12, hw wrote: |
3 |
>> Michael Orlitzky schrieb: |
4 |
>>> On 04/23/2016 10:42 AM, hw wrote: |
5 |
>>>> |
6 |
>>>> Has it become entirely impossible to share a directory tree and the |
7 |
>>>> files in it with multiple users when Linux is involved? This should be |
8 |
>>>> a very simple thing to accomplish. |
9 |
>>>> |
10 |
>>> |
11 |
>>> It was never possible. It's ridiculous, but there it is. The UNIX |
12 |
>>> permissions model is too simple. ACLs were bolted on top, but most tools |
13 |
>>> retain legacy behavior with respect to group masks that breaks default |
14 |
>>> ACLs. You're seeing that same problem with your Samba share. |
15 |
>>> |
16 |
>>> Filesystem permissions are one thing that Windows got right. There's |
17 |
>>> ongoing work to bring that model to Linux, |
18 |
>>> |
19 |
>>> https://en.wikipedia.org/wiki/Richacls |
20 |
>>> |
21 |
>>> but they're going to make the same mistake again[0] and allow the group |
22 |
>>> bits to act as a mask. That means mkdir, tar, cp, 7z -- anything that |
23 |
>>> tries to mess with group bits -- isn't going to work. They'll be DOA |
24 |
>>> just like POSIX ACLs were. |
25 |
>>> |
26 |
>>> I think you can manage this with incron and POSIX ACLs. Instead of |
27 |
>>> running "chmod g+w", use sys-apps/apply-default-acl to reset the |
28 |
>>> permissions to the defaults that you set. |
29 |
>>> |
30 |
>>> I wrote apply-default-acl to solve exactly this problem. You just need |
31 |
>>> to figure out a way to run it whenever things get screwed up. Which |
32 |
>>> means, whenever a file or directory is created. |
33 |
>>> |
34 |
>>> |
35 |
>>> [0] http://www.bestbits.at/richacl/man/richacl.7.txt |
36 |
>>> |
37 |
>>> Changing the file mode permission bits: |
38 |
>>> |
39 |
>>> When changing the file mode permission bits with chmod(1), the |
40 |
>>> owner, group, and other file permission bits are set to the |
41 |
>>> permission bits in the new mode... In addition, the masked and |
42 |
>>> write_through ACL flags are set. This has the effect of limiting the |
43 |
>>> permissions granted by the ACL to the file mode permission bits... |
44 |
>>> |
45 |
>>> |
46 |
>> |
47 |
>> Hm, I'm confused. Is it not possible to somehow force |
48 |
>> samba to set a user and a group as owners of a file or |
49 |
>> of a directory which is being created on a share? |
50 |
>> |
51 |
>> If that was possible, couldn't I mount that share with |
52 |
>> the uid and gid of the owner and group samba enforces, |
53 |
>> which would then allow multiple local users to access |
54 |
>> the files and directories on that share as one? |
55 |
> |
56 |
> |
57 |
> Now you've added a whole new wrinkle that was never mentioned before - |
58 |
> samba. Yes, samba can enforce the permissions you want on file system |
59 |
> objects in shares it controls. To be accurate, it runs as root and |
60 |
> presents the perms you want to the user, but only when accessing the |
61 |
> files via samba. Look at these options in smb.conf |
62 |
> |
63 |
> create mask = 664 |
64 |
> force create mode = 664 |
65 |
> security mask = 664 |
66 |
> force security mode = 664 |
67 |
> directory mask = 2775 |
68 |
> force directory mode = 2775 |
69 |
> directory security mask = 2775 |
70 |
> force directory security mode = 2775 |
71 |
> |
72 |
> With this you can achieve what you want, but you have to ensure that |
73 |
> samba is the only way the users can access the files. |
74 |
> |
75 |
> I'm assuming you completely and correctly understand umask. |
76 |
> |
77 |
> |
78 |
|
79 |
Thank you very much! This seems to work --- and it is what I had |
80 |
in mind to begin with, yet looking at the samba documentation made |
81 |
me think that 'force create mode' (or what it was) has been removed |
82 |
from the options some time recently. |