I need permission

  • Posted by Shellie
  • Monday, April 24, 2006

Yesterday I had ‘the meeting’ with the church administration.  I had to present how to use the server, the computer use policy, the user id request forms, etc.  They were all very understanding of the policy.  It started out as a memo… it turned into a 6 page IT Bible.  But you gotta love ministry.  They all saw the need and had no problems with the policy.

Saturday I noticed a peculiar behavior Samba was exhibiting.  Every time a file was created by a user, it was only editable by that user.  That clearly wasn’t a helpful behavior for a file server.  After some investigating, I found out this is a default behavior of Linux.  No worries, I just needed to figure out how to change the default permissions on user created files.

Well, that’s actually harder than you would think.

At least it was for me.  I kept getting led down a ‘umask’ path.  After toying with various settings I wasn’t getting anywhere.  It was frustrating to say the least.  Finally, I stumbled across 3 lines I could add to my Samba config file to override the default Linux permissions.  This solved the problem.

Now the question I have is how do I actually set this in Linux and not Samba?  It’s hard enough that I’m learning all of this in a trial-and-error way, but it doesn’t help to use an OS I know little about to begin with.  It acceptable to have fixed the issue the way I did; no one besides me will ever touch the Linux box.  All interaction with it will take place through Samba.  But I would think there must be a simple way to set the default behavior in Linux.

Strange.

All you Linux guru’s out there need to help a brother out.  I hate not knowing.  I fixed the issue (or at least worked around it), so I’m not concerned with continuing to experiment with our server.  However, I do have a Linux box at home I can play with.  For some reason, I feel like I need to know the answer to this one.  Permission setting is one of Linux’s bread-and-butter features.  No way is this as complicated as I’m making it.

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.

Information
April 24th, 2006
6 Responses
Feeds and Links
Comment Feed
From This Author
Del.icio.us
Digg
Technorati
Categories
tech

Other Posts
Big Brother Strikes Back
big brother

Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting.

Reader Comments

Comment Number:
1
Written by:
Brian Glass
Posted on:
Tuesday, April 25, 2006 at 5:19 am

The way we do it where I work is to set up people in groups. So for example, the Systems departement is all one group, the administration department is one group, etc.

In the smb.conf file (or the corresponding option in the SWAT web interface) you set the area you’re sharing to have a “create mask” of 0664. This causes all files that are created to allow group write and read.

We have a communal drive that we set the “create mask” to 0777. In this mode every file created is world readable, writeable, and executable.

BTW, you might want to check out Alfresco. It’ll provide you with SMB services in addition to a web interface for indexed searching and file management. I’m playing with it right now and it is a tad sliggish, but may be worth it.

Shoot me an email if you have any other questions.

Comment Number:
2
Written by:
Shellie
Posted on:
Tuesday, April 25, 2006 at 3:34 pm

That’s what I ended up doing as well. I just figured there should be a way to make Linux do it automagicly. I guess it all depends on the distro.

I will check out Alfresco. You’ve commented on it a few times on your blog.

Comment Number:
3
Written by:
Shellie
Posted on:
Tuesday, April 25, 2006 at 4:09 pm

The following 3 lines is what I ended up doing in smb.conf to get the desired result. I know there must be a more secure way to do it though.

create mask = 0766
directory mask = 0777
force directory mode = 0777 #no idea what this is, It was just used in the example I copied

When I create the users I make them all members of the same Linux user group (nmcc, my creativity lacked in naming the group). :)

Although they all belong to the same user group in Linux, The way I set up the file server there are several ‘private’ group shares. So in Samba, they may belong to several groups.

Any thoughts on how to tweak that?

Comment Number:
4
Written by:
Brian Glass
Posted on:
Thursday, April 27, 2006 at 10:30 am

I’m not quite sure what you mean there. In standard Linux you can’t have a file belong to more than one group. I believe the SELinux extensions created by the NSA give you more flexibility in this. Alfresco is also more flexible.

Comment Number:
5
Written by:
Shellie
Posted on:
Thursday, April 27, 2006 at 4:10 pm

There is just one Linux group (nmcc). The other ‘groups’ are all in Samba. They are just share folders that have certain authorized users to access them.

I use the ‘valid users =’ option on certain share folders in the smb.conf to acomplish this.

Comment Number:
6
Written by:
Brian Glass
Posted on:
Friday, April 28, 2006 at 8:19 am

I think the only way to do exactly that type of thing at the Linux level (i.e. not Samba) is to use the SELinux extensions.

Alternately, a person can belong to more than one group. You could create a group called “officedudes” and include just the office dudes in that group and set up a share just for them. You would create these secondary groups in the /etc/group file. Or in Ubuntu/Gnome you could use the User/Group manager tool.

You would then chgrp the Linux directory to be owned by that group. You would also set the SUID group bit so that files created in that directory would be set to the same group. (e.g. chmod g+s directoryName). There may be some Samba settings to help this as well.