Hi,
 
I have currently a department called HRM which have their own share
/data/hrm
 
Within that share is a folder called recruitment.
 
We recently hired an external recruiter to do some work for us. The folder
is /data/hrm/recruitment
 
How can I enforce that this person can only read and write in this
directory? Look below, is this the way to go? How would you handle this?
 
My config:
#======================= Global Settings
====================================
[global]
            dns proxy = no 
            log file = /var/log/samba/log.%m
            netbios name = srv01
            load printers = yes
            server string = srv01.mydomain.com
 
            workgroup = MYDOMAIN
            os level = 20
            username map = /usr/local/etc/samba/smbusers
            
            encrypt passwords = yes
            hosts allow = 192.168.20. 127.
            security = user
            max log size = 50
 
#============================ Share Definitions
=============================
 
# the "staff" group
[hrm]
            writeable = yes
            path = /data/hrm
            write list = @hrm
            force group = hrm
            valid users = @hrm
            create mode = 764
            directory mode = 774
 
[recruitment]
            comment = Recruitment Share
            valid users = @recruitment
            writeable = yes
            path = /data/hrm/recruitment
            write list = @recruitment
            force group = recruitment
            create mode = 764
            directory mode = 774
Paul Rijke wrote:> Hi, > > > > I have currently a department called HRM which have their own share > /data/hrm > > > > Within that share is a folder called recruitment. > > > > We recently hired an external recruiter to do some work for us. The folder > is /data/hrm/recruitment > > > > How can I enforce that this person can only read and write in this > directory? Look below, is this the way to go? How would you handle this? > > > > My config: > > #======================= Global Settings > ====================================> > [global] > > dns proxy = no > > log file = /var/log/samba/log.%m > > netbios name = srv01 > > load printers = yes > > server string = srv01.mydomain.com > > > > workgroup = MYDOMAIN > > os level = 20 > > username map = /usr/local/etc/samba/smbusers > > > > encrypt passwords = yes > > hosts allow = 192.168.20. 127. > > security = user > > max log size = 50 > > > > #============================ Share Definitions > =============================> > > > # the "staff" group > > [hrm] > > writeable = yes > > path = /data/hrm > > write list = @hrm > > force group = hrm > > valid users = @hrm > > create mode = 764 > > directory mode = 774 > > > > [recruitment] > > comment = Recruitment Share > > valid users = @recruitment > > writeable = yes > > path = /data/hrm/recruitment > > write list = @recruitment > > force group = recruitment > > create mode = 764 > > directory mode = 774 > >Personally, I'd do this at the file system level. Put them in a group such that they don't have any permissions other than traverse (751 permissions or so) parent directories, and make them the owner of the recruitment directory with a 2770 permission on the directory. If you need to add more recruiters, just add them to the recruitment group. So, it'd look like this: user: recruiter group: recruitment /data/hrm (perms - root.users rwxrwx--x) /data/hrm/recruitment (perms - recruiter.recruitment rwxrwt---) Then just give them a link to /data/hrm/recruitment on their desktop or something (or map a drive on logon with the logon script). This is, of course, just one way to do it. I usually like to handle permissions at the lowest level.
"Paul Rijke" <paul@rijke.org> wrote in message news:000c01c873f1$c9fc3200$5df49600$@org...> Hi, > > > > I have currently a department called HRM which have their own share > /data/hrm > > > > Within that share is a folder called recruitment. > > > > We recently hired an external recruiter to do some work for us. The folder > is /data/hrm/recruitment > > > > How can I enforce that this person can only read and write in this > directory? Look below, is this the way to go? How would you handle this? >A Samba account is linked to a Linux account. I would set the security on the Linux account. I would do this using regular Linux file and directory permissions.