|
Home > Archive > Unix administration > October 2005 > restricting access to subdirectory globally accessible
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
restricting access to subdirectory globally accessible
|
|
| Troy Piggins 2005-10-30, 5:51 pm |
| [apologies if this is multi-posted - I had some errors with linux.samba]
I have a samba server that shares a directory called "projects",
subdirectories of which are, funnily enough, each project for our
company. Each project's directory has a file heirarchy like this:
job no & name - correspondence - certificates
- email-attachments-in
- email-attachments-out
- faxes
- fee-proposals
- letters
- reports
- specifications
- design - spreadsheets
- analysis
- drawings
- photos
and so on. Everyone is a member of group "staff", there are some users
that are also members of group "admin" who I want to be the only ones
that can access the "fee-proposals" directory (at present everyone can
access it and the bosses don't like that).
Here is the current extract from /etc/samba/smb.conf :
[Projects]
comment = Projects Directory
path = /office/projects
public = no
writable = yes
write list = @staff
create mask = 0775
directory mask = 0775
force create mode = 0660
force directory mode = 0770
I don't know how to have different permissions on the subdir.
Thanks. Not sure if I posted enough details here - let me know if more
info required.
--
Troy Piggins
Where I live: 27 27 44 S 153 02 28 E
http://earth.google.com
| |
| Michael Vilain 2005-10-30, 8:48 pm |
| In article <slrndmai6t.pmu.usenet-0510@piggo.com>,
Troy Piggins <usenet-0510@piggo.com> wrote:
> [apologies if this is multi-posted - I had some errors with linux.samba]
>
> I have a samba server that shares a directory called "projects",
> subdirectories of which are, funnily enough, each project for our
> company. Each project's directory has a file heirarchy like this:
>
> job no & name - correspondence - certificates
> - email-attachments-in
> - email-attachments-out
> - faxes
> - fee-proposals
> - letters
> - reports
> - specifications
> - design - spreadsheets
> - analysis
> - drawings
> - photos
>
> and so on. Everyone is a member of group "staff", there are some users
> that are also members of group "admin" who I want to be the only ones
> that can access the "fee-proposals" directory (at present everyone can
> access it and the bosses don't like that).
>
> Here is the current extract from /etc/samba/smb.conf :
>
> [Projects]
> comment = Projects Directory
> path = /office/projects
> public = no
> writable = yes
> write list = @staff
> create mask = 0775
> directory mask = 0775
> force create mode = 0660
> force directory mode = 0770
>
> I don't know how to have different permissions on the subdir.
>
> Thanks. Not sure if I posted enough details here - let me know if more
> info required.
You could change the group owner of the fee-proposals directory to
"admin", with a specific person or account being the directories owner.
That way, staff won't have access, just "admin". The problem is that
jobs will have to have a fixed structure to which it must be adhered to
maintain this security. Either create new jobs directories with a
script or use a blank one and duplicate it.
I originally though ACLs might be useful here, but I don't know if Linux
(what version of the kernel) would implement it correctly nor if Samba
would utilize them. They work on Solaris 7 with Samba, but Linux is a
different, somewhat flaky beast. But you should be OK with regular
groups and permissions here.
--
DeeDee, don't press that button! DeeDee! NO! Dee...
| |
| Troy Piggins 2005-10-30, 8:48 pm |
| * Michael Vilain wrote:
> In article <slrndmai6t.pmu.usenet-0510@piggo.com>,
> Troy Piggins <usenet-0510@piggo.com> wrote:
>
>
> You could change the group owner of the fee-proposals directory to
> "admin", with a specific person or account being the directories owner.
> That way, staff won't have access, just "admin". The problem is that
> jobs will have to have a fixed structure to which it must be adhered to
> maintain this security. Either create new jobs directories with a
> script or use a blank one and duplicate it.
Ok. So for the "template" directory, make sure the linux group
permissions are for "admin" on that "fee proposals" directory and
"staff" for all others. I understand how that works for the directory
being accessed for linux users.
But I thought the @staff directive in [Projects] may override when the
directory is accessed through samba and allow all to see it.
Also I was sure I'd tried something like this before, and when someone
set up a new project by copying the "template" directory structure to
the "projects" directory, all the permissions were lost/changed and all
staff could access the subdirectories.
> I originally though ACLs might be useful here, but I don't know if Linux
> (what version of the kernel) would implement it correctly nor if Samba
> would utilize them. They work on Solaris 7 with Samba, but Linux is a
> different, somewhat flaky beast. But you should be OK with regular
> groups and permissions here.
I would've thought they /do/ work, I just don't know anything about them
or how to set them up - I just know they exist... might look into it.
Thanks.
--
Troy Piggins
Where I live: 27 27 44 S 153 02 28 E
http://earth.google.com
| |
| Michael Vilain 2005-10-31, 2:49 am |
| In article <20051031102740@usenet.piggo.com>,
Troy Piggins <usenet-0510@piggo.com> wrote:
> * Michael Vilain wrote:
>
> Ok. So for the "template" directory, make sure the linux group
> permissions are for "admin" on that "fee proposals" directory and
> "staff" for all others. I understand how that works for the directory
> being accessed for linux users.
>
> But I thought the @staff directive in [Projects] may override when the
> directory is accessed through samba and allow all to see it.
>
> Also I was sure I'd tried something like this before, and when someone
> set up a new project by copying the "template" directory structure to
> the "projects" directory, all the permissions were lost/changed and all
> staff could access the subdirectories.
>
>
> I would've thought they /do/ work, I just don't know anything about them
> or how to set them up - I just know they exist... might look into it.
>
> Thanks.
I looked up the syntax of samba.conf on www.samba.org and they discuss
three security modes (assuming you're running Samba > V2.0). If you map
Linux users to Windows users, then you can map the service as
SECURITY=USER. Here, you have to maintain the list of users on the
Linux system and I think the PDC, unless samba is also being your PDC.
Then, I think the service created will use the Linux usernames for file
access and that solves your problem. If you have a separate PDC and
samba is only doing file and print services on a high level, you set
SECURITY=SHARE and the service uses guest shares and no UNIX permissions
are enforce (I think).
I'm hazy as to how Samba will do this and it looks like you'll have to
do some serious reading on it to fully understand it and get the
behavior you want. There's this
http://us1.samba.org/samba/docs/man...smb.conf.5.html
and some books samba.org provides:
http://www.amazon.com/gp/product/0131453556
http://www.amazon.com/gp/product/0131472216
Good luck. This doesn't look to be a simple configuration thing.
You'll have to carefully think out your architecture to get it served
properly.
--
DeeDee, don't press that button! DeeDee! NO! Dee...
|
|
|
|
|