Automatically setting recursive user/group ownership...
|
| Author | Content |
|---|---|
| techiem2 Aug 29, 2007 12:36 PM EDT |
Here's the basic idea (maybe not exactly our setup, but close enough for you to get the idea what we want) : We have a public samba share on our file server. Under this we would have several directories. One would be for staff only (what I'm focusing on here). Maybe another for staff only to write to but anyone to read (i.e. class notes and stuff for the students to grab). This directory would be owned by root (or whatever) with a group of say faculty. The directory would be rwx user and group, but nothng for other (as this would be a private staff dir). Now, what we want is for everything created in the directory (other directories, files) to be created with the same user and group as the parent staff dir, and maybe appropriate default file permissions (like rw user and group for files and rwx user and group for dirs?). We're lost as to how to fix this. I know if said directory was a share in and of itself, we could use samba permissions. If it was it's own partition, we could use mount options to do that. But as neither is the case, we are completely lost. :) Any *nix masters out there have any ideas? Thanks! Mark II |
| azerthoth Aug 29, 2007 12:51 PM EDT |
Well, I can think of an ugly ugly fix. Let the directories and such be created as normal and set up a cron job to go in every so often and make the permission changes you want. |
| Sander_Marechal Aug 29, 2007 1:05 PM EDT |
Setting the user/group isn't that hard. Just do `chmod ug+s` on the parent directory (and any underlying directories already created). It will then automatically set root:staff as user:group on the files and directories created. Permissions are harder. If you find a way, let me know, because I am running into the same problem on one of my boxes. I have a directory that two users need to be able to work in so I created a group, set the g+s bit and set the umask to 002. But umask only strips permissions that are set, not add missing one's. I.e. it will turn an uploaded 666 file into 664. but if the uploaded file was orignally 644, it will remain 644 and thus be only editable by the uploader. |
| alc Aug 29, 2007 1:43 PM EDT |
If there's an answer to that, you might find it @ http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/ |
| gus3 Aug 29, 2007 11:30 PM EDT |
This sounds like a job for ACL's. With an ACL, you can specify multiple user permissions and multiple group permissions. A Samba connection assumes the UID/GID of the authenticated user, so any ACL will apply to that user. The man pages for "acl", "getfacl", and "setfacl" will have more information. If you think ACL's will help, you can enable them for an ext3 filesystem with "tune2fs -o acl [filesystem]" followed by an e2fsck. (Both while mounted read-only, of course!) |
| NoDough Aug 30, 2007 8:25 AM EDT |
There is a mechanism to affect the default assignment of rwx right flags, and I cannot remember the name of that mechanism right now. I'll edit this post after some quick-n-dirty research. --EDIT-- You can set the default permissions starting at any folder with the 'umask' command. Also, the 'mkdir' command has an argument [--mode=] for setting default permissions. Not sure about how to set ownership regardless of creator. Although, you can do this partition-wide by editing the fstab file (or with options to the 'mount' command.) Hope this helps. |
| techiem2 Aug 30, 2007 9:29 AM EDT |
I tried 'chmod ug+s' on my test directory.
It set the group when my user created a file (i,e. touch filename), but still set the user to my user instead of root.
And apparently used my user's default file settings (rwrr) - anybody know what happens when you create from windows? Does it use the default linux user's mods or something set by windows?. We can't use the umask command or mkdir cuz the people are accessing it inside a samba share (man I wish we could get rid of windows totally). And to do it by partition we would have to repartition the server to make that particular dir it's own partition, which isn't exactly an idea we like. I'll have to look into the acl stuff. |
| Aladdin_Sane Aug 30, 2007 10:21 AM EDT |
FUSE? Maybe? FUSE lets me make my own partitions that aren't partitions in the traditional sense. They are just directories, but I work with them as if they are partitions, using mount and other system utilities to mess with them. Might help? Others have touted sshfs as a nice use for FUSE, I use it with encfs to make an encrypted directory for my private stuff. I understand that it is very versatile in what it can do. They certainly allow the sort of ownership and permissions that normal partitions allow. For example, a line from my current mount list: encfs on /somemounts/encvol45 type fuse.encfs (rw,nosuid,nodev,default_permissions,user=Aladdin_Sane) |
| techiem2 Aug 30, 2007 10:30 AM EDT |
hmm.
That's an idea too.... Edit: Ok, so how do I mount a dir to another dir with fuse? It's not working how I would expect and google isn't helping much. :) |
| Sander_Marechal Aug 30, 2007 11:03 AM EDT |
Quoting:It set the group when my user created a file (i,e. touch filename), but still set the user to my user instead of root. Hmm... rereading `man chmod` the user or group ID is not set of file creation but on file execution. Creating a file is "execution" for a directory (in this case). For regular files it's running it. So, my solution is flawed. If there's another way to do it besides mounting it seperately or using ACL, I'd like to know. I would have figured that group collaboration is a common enough use case that it could be solved with "standard" *nix tools. |
| techiem2 Aug 30, 2007 11:15 AM EDT |
Yeah, we kinda figured that too.
:) |
| NoDough Aug 30, 2007 11:51 AM EDT |
I think you are confusing umask settings with file permissions settings. 'chmod' changes the files current permissions. 'umask' changes the _default_ permissions. By changing the umask, you change how permissions will be assigned to newly created files. http://en.wikipedia.org/wiki/Umask Or, maybe I'm just not understanding what you need. |
| Sander_Marechal Aug 30, 2007 1:07 PM EDT |
NoDough: Not exactly. umask strips permissions that you do not want set. It works like you described when creating files (a new 666 file with a umask of 002 will become 664) but not when copying (e.g. copying a 644 file makes it 644, not 664). On other words: umask only removes unwanted bits, it does not add bits. |
| techiem2 Aug 30, 2007 3:05 PM EDT |
That's how I understand it. And as far as I can tell, umask has to be set by the user in the terminal to change it. |
| Sander_Marechal Aug 30, 2007 3:47 PM EDT |
You can set it in /etc/login.defs, in a user's ~/.bash_profile or ~/.bashrc and for scp and the like in ~/.ssh/rc |
| techiem2 Aug 30, 2007 5:01 PM EDT |
Yeah, but the users never actually login since they're just connecting over samba. :) |
| Aladdin_Sane Aug 30, 2007 6:35 PM EDT |
The way I understand FUSE is that it is an underlying structure for filesystems built on top of it. encfs and sshfs are two examples of FUSE filesystems. There are many others. Some others: Searching Synaptic for "fuse" in Debian Sid I see 52 packages, among the more relevant results, fusesmb. Quoting: filesystem client based on the SMB file transfer protocol My experience is with the encfs command, which mounts and unmounts my encfs FUSE filesystems. The encfs man page documents that it sends my commands ultimately to fusermount for action. In my case, encfs set up my directories initially from two directories I made called /somemounts/encvol45 and /somemounts/.encvol45. It was very easy to do. fusermount -u will unmount my "fake" partitions anytime. I guess using fusermount to mount them would be kinda' worthless, since they are encrypted; the encfs front end takes care of that, I mount them on login with my account using .bashrc: /usr/bin/encfs /somemounts/.encvol45 /somemounts/encvol45 (One cool result is that even root cannot mess with the encfs volumes, root has no permission and cannot "see" them properly to do anything useful with them.) I'm assuming that fusesmb would be somehow analogous to this, allowing permissions and ownership to be set "per-partition" on as many directories as one cares to create. I can't try it directly because I have no Windows systems here to experiment with, it would be fruitless. |
| Sander_Marechal Aug 30, 2007 8:53 PM EDT |
Quoting:users never actually login since they're just connecting over samba. IIRC samba runs as it's own user. Perhaps setting a umask for that user will work. That said, I think you're far better off simply splitting the share in two and configure Samba accordingly. |
| techiem2 Aug 31, 2007 7:29 AM EDT |
Actually, when you connect to samba with windows, it uses your windows login information by default.
If that fails, it either drops you to guest, or asks for login information, depending on how it's setup. So in a roundabout way you do login, but it's a samba login and not a *nix terminal login, so your *nix user environment has no effect. |
| techiem2 Aug 31, 2007 7:35 AM EDT |
So after playing with ACLs a bit yesterday, I think my boss has decided the easiest thing to do will be to just use a cron job to fix ownership/permissions on the stuff.
I did find ACLs to be fairly interesting though. He said that everyone is in the proper group already, so all files created will have the proper group ownership, so it's just a matter of tweaking the user ownership if we want and changing any permissions we want. But we'll see if we actually do that. :) He's not in today so I'm guessing we'll be working on it more next week. |
| NoDough Sep 02, 2007 7:18 PM EDT |
IIRC, you can set create file and create directory permissions on a per share basis in smb.conf. |
You cannot post until you login.