On Mon, Sep 15, 2008 at 01:57:55PM -0700, Steve Rippl
wrote:> Hi,
>
> We've just put in a Samba fileserver to replace our windows box for our
> School District and it seems to be working great. I have a question
> about defining some specific permissions though. We set up 'Drop
boxes'
> for teachers that kids can drag files into, but they don't have read
> permission so they can't read each others submitted work. Here's
what
> is looks like on the fileserver
>
> root@wsdfile:/srv/materials/WHS/VanCleek# getfacl Drop_Box/
> # file: Drop_Box
> # owner: admin
> # group: domain\040admins
> user::rwx
> user:vancleek:rwx
> group::rwx
> group:whs\040student:-wx
> mask::rwx
> other::---
> default:user::rwx
> default:user:vancleek:rwx
> default:group::rwx
> default:group:whs\040student:-wx
> default:mask::rwx
> default:other::---
>
> and the view through windows security tab shows Traverse folder/Create
> Files/Write Attributes/Write Extended Attributes/Read permissions.
> Needless to say this doesn't seem to work! The student account (in the
> right group) is not allowed to drop a file into that folder. If I add
> g:wsd\\whs\ Student:rwx then the student can do anything sucessfully,
> with -wx nothing?!!
>
> Can anyone help?
Ok, the problem is that students need to be able to read
the containing directory in order to be able to drag and
drop new files there. The reason is that Samba needs to
be able to scan the directory on their behalf in order
to do case insensitive lookups.
But so long as you don't mind allowing the students to
see the names of each others files, you can set up a
DropBox so that students can write into it (and their
own files) but not edit or see others files.
Firstly, you want to make sure that files created in
the DropBox directory are not owned by the student's
primary group, but by the group owner of the DropBox
direcotry. So :
chgrp teachers DropBox
to make it owned by the teachers group. Then set the
setgid bit on the DropBox directory to make sure
that files created within there have an owning group
of teachers.
chmod g+s DropBox
Then ensure that a file in DropBox can be renamed
or deleted by only the owner of the file, or by the
owner of the directory, or by root (same permissions
that /tmp has).
chmod +t DropBox
Then allow students to write into the directory
by adding an ACL
setfacl -m g:students:rwx DropBox
So long as the defaul acl is set so that "others"
have no permissions, files written by a student
into that directory will be owned by themselves
but will have an owning group of "teachers", and
students will not be able to read each others
files.
If you need to be cause the files to be owned
by the owner of the directory, not by the students
who created them you need to set up a separate
share as described above, but then add the
share level parameter :
inherit owner = yes
which will cause files created within the
directories in that share to be owned by
the containing directory, not the creating
owner.
Hope this helps,
Jeremy.