On 12/30/2010 20:49, Gary Dale wrote:
On 30/12/10 03:56 PM, Christ Schlacta wrote:
I have some shares on a media server that are considdered "Local,
offline content", namely they should be accessible if the rest of the
network is down, and each system has it's own group of users who are
allowed to maintain it. the media servers in the livingroom are only
for my wife and I, but each person can modify the one in their own
bedroom and noone elses bedroom. Furthermore, the users must be
members of the group "Music" to be allowed to modify music, and the
group "Videos" to be allowed to modify videos. currently my setup
looks like this for rebirth:
[videos]
comment = Rebirth local Videos
path = /media/local/videos
write list = @rebirth
force group = videos
create mask = 0664
force create mode = 0664
directory mask = 0775
force directory mode = 0775
[music]
comment = Rebirth local Music
path = /media/local/music
write list = @rebirth
force group = music
create mask = 0664
force create mode = 0664
directory mask = 0775
force directory mode = 0775
but my fear is that someone not in the music group will still be able
to write to the shares. is there a way to make it explicitly require
BOTH groups to allow writing?
I'm not entirely sure what you are trying to do, let alone why it is a
problem. Since you are sharing files
I want to require a user to me a member of TWO groups to add or modify
files in a share. the user MUST be a member of the groups "rebirth" and
"videos" to be able to write to the directory "videos" on the server
"rebirth". if they're only in one or the other I don't want them to be
able to add files (I'd like to make it so they can't even read files if
they're not in both groups, but that's nowhere near as important)
via Samba, why are you using group access instead of user access
rights? Why aren't you simply using user accounts to control access
the way CIFS usually does it?
I can't add permissions for each user the way cifs wants it because I
don't have ACLs. I want to be able to add a user to a group and voila,
they have group permissions to the group's resources.
Ignore the ZFS problems. If user A is in Music, then they have write
access to the music share. If they are not then they have read access.
Forcing the group simply overrides the whole point of having a group
in the first place.
forcing the group is also common here because each share has permissions
enforced on a per-group basis. files in the www share can be modified
by anyone in the www group. files in the dump share can be modified by
anyone in the dump group, etc.. I use filesystem "sticky group"
permissions to help enforce permissions, but without proper ACL support,
forcing g=rwX is difficult without using samba force group and create
mask options.
You can set Guest OK to yes to give the world read access, or you can
set a Read list in addition to the Write list.
can I specify "noone can read UNLESS they're in this group"?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
