Re: [Samba] patch request - inherit owner
On Tue, 2005-11-22 at 06:00 -0700, Craig White wrote: > On Tue, 2005-11-22 at 09:33 +0100, [EMAIL PROTECTED] wrote: > > Craig White wrote: > > > On Mon, 2005-11-21 at 17:36 +0100, [EMAIL PROTECTED] wrote: > > > > > >>Gerald (Jerry) Carter wrote: > > >> > > >>>[EMAIL PROTECTED] wrote: > > >>> > > >>>| so a patch to add an "inherit owner group" option > > >>>| would be very useful. > > >>> > > >>>Unix file systems already support this with the group ID bit. > > >>>Just "chmod g+s dirname". > > >> > > >>Ok it's working. > > >> > > >>I didn't knew I could have a s without a x, so I was worried about the > > >>security as some users have access to a shell on the Samba server. > > > > > > > > > 'x' has different meaning when it comes to a directory. It indicates > > > whether a user of that type can 'descend' into the directory. > > > > > > Craig > > > > > > > > > > I know this, but I am moving data from a Windows server to Samba i.e. I > > have to copy files preserving the creation times and then set up the > > access rights. > > And as I tought that s goes with x, and there is not way (well, as least > > from what I know) to recursievly set the s just to directories (as with > > the X) I had no solution. > --- > chmod -R g+s /path/to/directory # recursively set guid bit > --- Watch out, that will set the setgid bit on any files in that directory. Where 'foo' is the directory, try: find foo -type d | xargs chmod g+s -- Andrew Bartletthttp://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc.http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] patch request - inherit owner
On Tue, 2005-11-22 at 09:33 +0100, [EMAIL PROTECTED] wrote: > Craig White wrote: > > On Mon, 2005-11-21 at 17:36 +0100, [EMAIL PROTECTED] wrote: > > > >>Gerald (Jerry) Carter wrote: > >> > >>>[EMAIL PROTECTED] wrote: > >>> > >>>| so a patch to add an "inherit owner group" option > >>>| would be very useful. > >>> > >>>Unix file systems already support this with the group ID bit. > >>>Just "chmod g+s dirname". > >> > >>Ok it's working. > >> > >>I didn't knew I could have a s without a x, so I was worried about the > >>security as some users have access to a shell on the Samba server. > > > > > > 'x' has different meaning when it comes to a directory. It indicates > > whether a user of that type can 'descend' into the directory. > > > > Craig > > > > > > I know this, but I am moving data from a Windows server to Samba i.e. I > have to copy files preserving the creation times and then set up the > access rights. > And as I tought that s goes with x, and there is not way (well, as least > from what I know) to recursievly set the s just to directories (as with > the X) I had no solution. --- chmod -R g+s /path/to/directory # recursively set guid bit --- > Well, seting up the s to the base dir before replicating data should > have worked, but I just didn't think enough. --- We all have that problem. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] patch request - inherit owner
Craig White wrote: > On Mon, 2005-11-21 at 17:36 +0100, [EMAIL PROTECTED] wrote: > >>Gerald (Jerry) Carter wrote: >> >>>[EMAIL PROTECTED] wrote: >>> >>>| so a patch to add an "inherit owner group" option >>>| would be very useful. >>> >>>Unix file systems already support this with the group ID bit. >>>Just "chmod g+s dirname". >> >>Ok it's working. >> >>I didn't knew I could have a s without a x, so I was worried about the >>security as some users have access to a shell on the Samba server. > > > 'x' has different meaning when it comes to a directory. It indicates > whether a user of that type can 'descend' into the directory. > > Craig > > I know this, but I am moving data from a Windows server to Samba i.e. I have to copy files preserving the creation times and then set up the access rights. And as I tought that s goes with x, and there is not way (well, as least from what I know) to recursievly set the s just to directories (as with the X) I had no solution. Well, seting up the s to the base dir before replicating data should have worked, but I just didn't think enough. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] patch request - inherit owner
Thomas Heiligenmann wrote: > [EMAIL PROTECTED] schrieb: >> For the ones who want the full details here it goes: >> >> We have one share per service (IT, R&D, commercial...). >> In each service the followin top level directories are created by by >> admin with the following rights, that can't be changed by users: >> - archives : One directory per year, with a service private data and a >> service public data directories, files not needed any more are archived >> here at the begening of each year. Same rights as bellow, with read >> write access becoming read access. >> - service stuff : Service stuff not submited to our quality process. >> Read write access for domain admins and service users. >> - service private data : Service private data submited to our quality >> process. Read write access for domain admins and service users, read >> access to quality service members. >> - service public data : Service public data (to share with other >> services) submited to our quality process. Read write access for domain >> admins and service users, read access to domain users. >> - service templates : Service Office and other software documents >> templates. Read write access for domain admins and the person >> responsible for the templates update, read access to domain users. >> >> I've not found something better than what I exposed at the begining. >> >> The problem with inherit owner not working for group owner is that any >> new created file belongs to the "Domain Users" (primary group for every >> user, many users belong to more than one service) with inherited rwx >> rights thus breaking access rights rules I want. >> > > Why not defining it explicitely in smb.conf? I'm happy with the folowing: > > [mygroupshare] > comment = My Group > path = /data/shares/mygroup > writable = yes > valid users = @mygroup @admins > create mode = 0660 > directory mode = 0770 > force directory mode = 2000 > force group = mygroup > > > Thomas > > It's explained in the "details" part. There is one share per services, but there are people not member of the service accessing the share. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] patch request - inherit owner
[EMAIL PROTECTED] schrieb: Hello I've a Samba server up and running (version 3.0.20b .deb found on samba.org on a Debian Sarge), but it's not yet in production cause I'm not satisfied with some file permissions. The file permission I'd like to have would require to have files and directories to inherit owner user and and owner group, with rights 770 and root.root as the owner. And the users rights being given trought the "inherit acls" option. The problem is "inherit owner" just works for the owner user, not the owner group, so a patch to add an "inherit owner group" option would be very useful. For the ones who want the full details here it goes: We have one share per service (IT, R&D, commercial...). In each service the followin top level directories are created by by admin with the following rights, that can't be changed by users: - archives : One directory per year, with a service private data and a service public data directories, files not needed any more are archived here at the begening of each year. Same rights as bellow, with read write access becoming read access. - service stuff : Service stuff not submited to our quality process. Read write access for domain admins and service users. - service private data : Service private data submited to our quality process. Read write access for domain admins and service users, read access to quality service members. - service public data : Service public data (to share with other services) submited to our quality process. Read write access for domain admins and service users, read access to domain users. - service templates : Service Office and other software documents templates. Read write access for domain admins and the person responsible for the templates update, read access to domain users. I've not found something better than what I exposed at the begining. The problem with inherit owner not working for group owner is that any new created file belongs to the "Domain Users" (primary group for every user, many users belong to more than one service) with inherited rwx rights thus breaking access rights rules I want. Why not defining it explicitely in smb.conf? I'm happy with the folowing: [mygroupshare] comment = My Group path = /data/shares/mygroup writable = yes valid users = @mygroup @admins create mode = 0660 directory mode = 0770 force directory mode = 2000 force group = mygroup Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] patch request - inherit owner
On Mon, 2005-11-21 at 17:36 +0100, [EMAIL PROTECTED] wrote: > Gerald (Jerry) Carter wrote: > > [EMAIL PROTECTED] wrote: > > > > | so a patch to add an "inherit owner group" option > > | would be very useful. > > > > Unix file systems already support this with the group ID bit. > > Just "chmod g+s dirname". > > Ok it's working. > > I didn't knew I could have a s without a x, so I was worried about the > security as some users have access to a shell on the Samba server. 'x' has different meaning when it comes to a directory. It indicates whether a user of that type can 'descend' into the directory. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] patch request - inherit owner
Gerald (Jerry) Carter wrote: > [EMAIL PROTECTED] wrote: > > | so a patch to add an "inherit owner group" option > | would be very useful. > > Unix file systems already support this with the group ID bit. > Just "chmod g+s dirname". Ok it's working. I didn't knew I could have a s without a x, so I was worried about the security as some users have access to a shell on the Samba server. Sorry for this stupid one. Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] patch request - inherit owner
On Mon, Nov 21, 2005 at 03:24:06PM +0100, [EMAIL PROTECTED] wrote: > Hello > > I've a Samba server up and running (version 3.0.20b .deb found on > samba.org on a Debian Sarge), but it's not yet in production cause I'm > not satisfied with some file permissions. > > The file permission I'd like to have would require to have files and > directories to inherit owner user and and owner group, with rights 770 > and root.root as the owner. And the users rights being given trought the > "inherit acls" option. > The problem is "inherit owner" just works for the owner user, not the > owner group, so a patch to add an "inherit owner group" option would be > very useful. You do this using normal unix machanisms - this is already built into the filesystem. Set the SGID bit on the directory. I don't want to add Samba options that duplicate filesystem features. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] patch request - inherit owner
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: | so a patch to add an "inherit owner group" option | would be very useful. Unix file systems already support this with the group ID bit. Just "chmod g+s dirname". cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc "There's an anonymous coward in all of us." --anonymous -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDgeTFIR7qMdg1EfYRArgQAKDw6ohGvmPEpeTe3LLV13F5iFgiFwCfeklo wE9+i8NxQ1YzVwfYWEIWEM4= =QQr1 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
