Re: [Samba] Subfolders and permissions

Wed, 20 Feb 2008 11:53:00 -0800 

Paul Rijke wrote:

Hi,


I have currently a department called HRM which have their own share
/data/hrm


Within that share is a folder called recruitment.


We recently hired an external recruiter to do some work for us. The folder
is /data/hrm/recruitment


How can I enforce that this person can only read and write in this
directory? Look below, is this the way to go? How would you handle this?


My config:

#======================= Global Settings
=====================================

[global]
dns proxy = no 
            log file = /var/log/samba/log.%m

            netbios name = srv01

            load printers = yes

            server string = srv01.mydomain.com


            workgroup = MYDOMAIN

            os level = 20

            username map = /usr/local/etc/samba/smbusers


            encrypt passwords = yes

            hosts allow = 192.168.20. 127.

            security = user

            max log size = 50


#============================ Share Definitions
==============================


# the "staff" group

[hrm]

            writeable = yes

            path = /data/hrm

            write list = @hrm

            force group = hrm

            valid users = @hrm

            create mode = 764

            directory mode = 774


[recruitment]

            comment = Recruitment Share

            valid users = @recruitment

            writeable = yes

            path = /data/hrm/recruitment

            write list = @recruitment

            force group = recruitment

            create mode = 764

            directory mode = 774
Personally, I'd do this at the file system level. Put them in a group such that they don't have any permissions other than traverse (751 permissions or so) parent directories, and make them the owner of the recruitment directory with a 2770 permission on the directory. If you need to add more recruiters, just add them to the recruitment group. 


So, it'd look like this:
user: recruiter
group: recruitment

/data/hrm (perms - root.users rwxrwx--x)
/data/hrm/recruitment (perms - recruiter.recruitment rwxrwt---)
Then just give them a link to /data/hrm/recruitment on their desktop or something (or map a drive on logon with the logon script). This is, of course, just one way to do it. 
 I usually like to handle permissions at the lowest level.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Reply via email to