Re: restricting access to subdirectory globally accessible

From: Troy Piggins (usenet-0510_at_piggo.com)
Date: 10/31/05

  • Next message: Barry Margolin: "Re: rsh remote to execute an applicaion" 
    Date: 31 Oct 2005 00:40:00 GMT

    * Michael Vilain wrote:
    > In article <slrndmai6t.pmu.usenet-0510@piggo.com>,
    > Troy Piggins <usenet-0510@piggo.com> wrote:
    >
    >> [apologies if this is multi-posted - I had some errors with linux.samba]
    >>
    >> I have a samba server that shares a directory called "projects",
    >> subdirectories of which are, funnily enough, each project for our
    >> company. Each project's directory has a file heirarchy like this:
    >>
    >> job no & name - correspondence - certificates
    >> - email-attachments-in
    >> - email-attachments-out
    >> - faxes
    >> - fee-proposals
    >> - letters
    >> - reports
    >> - specifications
    >> - design - spreadsheets
    >> - analysis
    >> - drawings
    >> - photos
    >>
    >> and so on. Everyone is a member of group "staff", there are some users
    >> that are also members of group "admin" who I want to be the only ones
    >> that can access the "fee-proposals" directory (at present everyone can
    >> access it and the bosses don't like that).
    >>
    >> Here is the current extract from /etc/samba/smb.conf :
    >>
    >> [Projects]
    >> comment = Projects Directory
    >> path = /office/projects
    >> public = no
    >> writable = yes
    >> write list = @staff
    >> create mask = 0775
    >> directory mask = 0775
    >> force create mode = 0660
    >> force directory mode = 0770
    >>
    >> I don't know how to have different permissions on the subdir.
    >>
    >> Thanks. Not sure if I posted enough details here - let me know if more
    >> info required.
    >
    > You could change the group owner of the fee-proposals directory to
    > "admin", with a specific person or account being the directories owner.
    > That way, staff won't have access, just "admin". The problem is that
    > jobs will have to have a fixed structure to which it must be adhered to
    > maintain this security. Either create new jobs directories with a
    > script or use a blank one and duplicate it.

    Ok. So for the "template" directory, make sure the linux group
    permissions are for "admin" on that "fee proposals" directory and
    "staff" for all others. I understand how that works for the directory
    being accessed for linux users.

    But I thought the @staff directive in [Projects] may override when the
    directory is accessed through samba and allow all to see it.

    Also I was sure I'd tried something like this before, and when someone
    set up a new project by copying the "template" directory structure to
    the "projects" directory, all the permissions were lost/changed and all
    staff could access the subdirectories.

    > I originally though ACLs might be useful here, but I don't know if Linux
    > (what version of the kernel) would implement it correctly nor if Samba
    > would utilize them. They work on Solaris 7 with Samba, but Linux is a
    > different, somewhat flaky beast. But you should be OK with regular
    > groups and permissions here.

    I would've thought they /do/ work, I just don't know anything about them
    or how to set them up - I just know they exist... might look into it.

    Thanks. 

    -- 
Troy Piggins
Where I live: 27 27 44 S 153 02 28 E
http://earth.google.com
  • Next message: Barry Margolin: "Re: rsh remote to execute an applicaion"