Paul Rijke wrote:
Hi,
I have currently a department called HRM which have their own share
/data/hrm
Within that share is a folder called recruitment.
We recently hired an external recruiter to do some work for us. The folder
is /data/hrm/recruitment
How can I enforce that this person can only read and write in this
directory? Look below, is this the way to go? How would you handle this?
My config:
#======================= Global Settings
=====================================
[global]
dns proxy = no
log file = /var/log/samba/log.%m
netbios name = srv01
load printers = yes
server string = srv01.mydomain.com
workgroup = MYDOMAIN
os level = 20
username map = /usr/local/etc/samba/smbusers
encrypt passwords = yes
hosts allow = 192.168.20. 127.
security = user
max log size = 50
#============================ Share Definitions
==============================
# the "staff" group
[hrm]
writeable = yes
path = /data/hrm
write list = @hrm
force group = hrm
valid users = @hrm
create mode = 764
directory mode = 774
[recruitment]
comment = Recruitment Share
valid users = @recruitment
writeable = yes
path = /data/hrm/recruitment
write list = @recruitment
force group = recruitment
create mode = 764
directory mode = 774
Personally, I'd do this at the file system level. Put them in a group
such that they don't have any permissions other than traverse (751
permissions or so) parent directories, and make them the owner of the
recruitment directory with a 2770 permission on the directory. If you
need to add more recruiters, just add them to the recruitment group.
So, it'd look like this:
user: recruiter
group: recruitment
/data/hrm (perms - root.users rwxrwx--x)
/data/hrm/recruitment (perms - recruiter.recruitment rwxrwt---)
Then just give them a link to /data/hrm/recruitment on their desktop or
something (or map a drive on logon with the logon script). This is, of
course, just one way to do it.
I usually like to handle permissions at the lowest level.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba