editing ACL

Issues related to configuring your network
kkjensen
Posts: 13
Joined: 2007/01/24 18:12:58
Contact:

editing ACL

Post by kkjensen » 2007/01/25 14:29:03

Hi there,

I've been reading everything I can on the subject but haven't quite found what I'm looking for.

I've been asked to install CentOS on a new server at work and get it set up as our file server. I've got winbind all sorted out so it's getting the users and groups from the windoze2k domain. I can map to a public drive on the machine (from windows), create files etc etc. We would like to have a bit more freedom in managing the permissions on the files, i.e. I create a file and would like to let someone else take over for me. Currently, I create a file and I get the following properties:

[quote]
[root@localhost analysis]#ls -Flathr
-rwxr--r-- 1 kjensen Domain Users [/quote]

I enabled ACL to the root directory by adding ,acl in the fstab file....now windows users can create files on the samba shares and, if they're the owner, change the permissions for themself, the group and everyone else.

[b]QUESTION:[/b]
What if a windows user wants to turn the project over to someone else (i.e. change owners)??? I suppose they can give full access to the group (if that person were in the group) but this opens up full access to a few too many people....there's got to be some work around for this...
:-(

gerald_clark
Posts: 10642
Joined: 2005/08/05 15:19:54
Location: Northern Illinois, USA

Re: editing ACL

Post by gerald_clark » 2007/01/25 16:34:43

Can't you setup a special group for the project?
Just list the current members in the group list.
If the people in the group change, edit the group.

pjwelsh
Posts: 2629
Joined: 2007/01/07 02:18:02
Location: Central IL USA

Re: editing ACL

Post by pjwelsh » 2007/01/25 16:49:25

I'm not sure how to do this from windows without getting shell access onto the linux box. But something like:
Granting an additional user read access
setfacl -m u:lisa:r file
from the "man setfacl"

kkjensen
Posts: 13
Joined: 2007/01/24 18:12:58
Contact:

Re: editing ACL

Post by kkjensen » 2007/01/25 18:16:15

I think we've figured out a way of defining our groups that will work for us....thanks.

Another quick question for you guys:
Is there a way to change the default permissions on a file when it is created? Right now the owner gets everything and the group/everyone get read only. I want the group to get right access too for the files created by any user in the group. This is a working directory for group projects so anyone could be creating files and it would be nice to avoid having to remind people all the time to add write access for their colleagues.

Thanks again.

gerald_clark
Posts: 10642
Joined: 2005/08/05 15:19:54
Location: Northern Illinois, USA

Re: editing ACL

Post by gerald_clark » 2007/01/25 19:31:51

Samba has directory and file masks and modes.
You can read the Samba docs, or :

On your server:
yum install samba-swat
chkconfig swat on
service xinetd restart

Using your web browser, connect to http://localhost:901

Select a share.
Turn on advanced view.
Check out the security options.
The Help tab are very useful.

pjwelsh
Posts: 2629
Joined: 2007/01/07 02:18:02
Location: Central IL USA

Re: editing ACL

Post by pjwelsh » 2007/01/25 19:58:31

Add a line in your smb.conf share section that has "create mask = 0770" or what ever you want.

arrfab
Site Admin
Posts: 876
Joined: 2005/01/03 21:30:54
Location: /country/belgium
Contact:

Re: editing ACL

Post by arrfab » 2007/01/26 10:00:11

Check also the 'inherit permissions' and 'inherit acls' parameters you can define in smb.conf ...

kkjensen
Posts: 13
Joined: 2007/01/24 18:12:58
Contact:

Re: editing ACL

Post by kkjensen » 2007/01/30 14:36:21

Thanks for the replies.

pjwelsh: I have read about the mask and thought it was just for LIMITING access. For example if the mask is rw- and I have explicit rwx then the mask takes over and knocks me down to rw-. Is it the same for adding permissions? If so, this is exactly what I was looking for.

arrfab: I'm still pretty new at linux...aside from "man " is there somewhere in particular things are docuemented in detail? Searching the web and forums every time proves to be time consuming when I need something as simple as "create mask = 0770"


Thanks again.

gerald_clark
Posts: 10642
Joined: 2005/08/05 15:19:54
Location: Northern Illinois, USA

Re: editing ACL

Post by gerald_clark » 2007/01/30 14:41:13

That's why I told you to install swat.

pjwelsh
Posts: 2629
Joined: 2007/01/07 02:18:02
Location: Central IL USA

Re: editing ACL

Post by pjwelsh » 2007/01/30 15:17:52

[quote]
kkjensen wrote:
Thanks for the replies.

pjwelsh: I have read about the mask and thought it was just for LIMITING access. For example if the mask is rw- and I have explicit rwx then the mask takes over and knocks me down to rw-. Is it the same for adding permissions? If so, this is exactly what I was looking for. [/quote]

"create mask" is realy synonym for "create mode" for SETTING access. This older thread has always been very useful:
http://lists.samba.org/archive/samba/2003-March/063429.html

[quote]
arrfab: I'm still pretty new at linux...aside from "man " is there somewhere in particular things are docuemented in detail? Searching the web and forums every time proves to be time consuming when I need something as simple as "create mask = 0770" [/quote]

@arrfab is correct, install this web/gui utility WILL be very good for you. So, you (as root) should run "yum -y install samba-swat" and then follow some directions like:
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/SWAT.html

But, google will still be your best friend ;)

Post Reply

Return to “CentOS 4 - Networking Support”