Playing with Samba/Linux File Security
As I mentioned earlier, we're having trouble working with the file server. We are used to having pretty much free reign in each others' directories and in the shared directories (pictures, music, downloads, etc.). This morning, I have time to play with things a bit.
First, I'm working on accessing the existing shared files and folders. Working with the Pictures directory, I first changed the group from root to users:
chgrp users Pictures -R
The -R parameter makes the command recursive - travelling through all of the subdirectories and making the group change on all files.
Next, I changed the file permissions from 0755 to 0775, which gives everyone in the users group write access.
chmod 0775 Pictures -R
Seems to work OK. We can now create directories and files in the Pictures directory.
To have these file permissions applied to new files automatically, I'm adding/changing these lines in /etc/samba/smb.conf.
In [files]:
create mask = 0775
directory mask = 0775
I restarted the Samba service and things work as expected. However, the new objects have the group set to the user name, not the users group. Adding one more line to the share configuration seems to have fixed that:
force group = users
Next, I'll tackle the user directories. Remember that I have a kind of complicated directory structure. The [homes] share is mapped to /home/Documents/%u, where Documents is a folder created by Mandrake when the user first logs in. This folder also shows up as a folder with the user's name in the [files] share. This means that there are two paths to the folder, and therefore, two ways to create a file in the folder. If the user comes in via the [files] share, the permission and group settings defined above will be enforced. This is fine, since we want files created by others to also be modifiable by others.
However, I also want to allow for private files and folders. I've setup a folder called private with a permission setting of 0700. Using hide unreadable = yes in the [files] share configuration, other users don't even know it is there. If I create new files in this folder, they should use the 0700 permission level, instead of the 0775 level prescribed in [files].
Here's the setup:
- Permissions on the Documents folder, and the named folder in /export are set to 0770 with the group set to users.
- The private folder is set to 0700 and the group is set to the user's group.
- The configuration in smb.conf includes inherit permissions = yes
So, if I create a file via the [files] share, all works as expected. But if I create a file via the [homes] share, the permissions are set (via inherit permissions), but the group is not. I want the file to inherit the group of the directory, but there doesn't seem to be an inherit group setting in Samba.
I guess I'll keep researching. Your comments are always appreciated.
Labels: fileserver
0 Comments:
Post a Comment
<< Home