I have some shares on a media server that are considdered "Local,
offline content", namely they should be accessible if the rest of the
network is down, and each system has it's own group of users who are
allowed to maintain it. the media servers in the livingroom are only
for my wife and I, but each person can modify the one in their own
bedroom and noone elses bedroom. Furthermore, the users must be members
of the group "Music" to be allowed to modify music, and the group
"Videos" to be allowed to modify videos. currently my setup looks
like
this for rebirth:
[videos]
comment = Rebirth local Videos
path = /media/local/videos
write list = @rebirth
force group = videos
create mask = 0664
force create mode = 0664
directory mask = 0775
force directory mode = 0775
[music]
comment = Rebirth local Music
path = /media/local/music
write list = @rebirth
force group = music
create mask = 0664
force create mode = 0664
directory mask = 0775
force directory mode = 0775
but my fear is that someone not in the music group will still be able to
write to the shares. is there a way to make it explicitly require BOTH
groups to allow writing?
On Thu, Dec 30, 2010 at 3:56 PM, Christ Schlacta <lists at aarcane.org> wrote:> I have some shares on a media server that are considdered "Local, offline > content", namely they should be accessible if the rest of the network is > down, and each system has it's own group of users who are allowed to > maintain it. ?the media servers in the livingroom are only for my wife and > I, but each person can modify the one in their own bedroom and noone elses > bedroom. ?Furthermore, the users must be members of the group "Music" to be > allowed to modify music, and the group "Videos" to be allowed to modify > videos. ?currently my setup looks like this for rebirth: > > [videos] > ? ? ? ?comment = Rebirth local Videos > ? ? ? ?path = /media/local/videos > ? ? ? ?write list = @rebirth > ? ? ? ?force group = videos > ? ? ? ?create mask = 0664 > ? ? ? ?force create mode = 0664 > ? ? ? ?directory mask = 0775 > ? ? ? ?force directory mode = 0775 > > [music] > ? ? ? ?comment = Rebirth local Music > ? ? ? ?path = /media/local/music > ? ? ? ?write list = @rebirth > ? ? ? ?force group = music > ? ? ? ?create mask = 0664 > ? ? ? ?force create mode = 0664 > ? ? ? ?directory mask = 0775 > ? ? ? ?force directory mode = 0775 > > but my fear is that someone not in the music group will still be able to > write to the shares. ?is there a way to make it explicitly require BOTH > groups to allow writing?Get rid of the force group and properly use ACLs on the *nix filesystem. John
On 30/12/10 03:56 PM, Christ Schlacta wrote:> I have some shares on a media server that are considdered "Local, > offline content", namely they should be accessible if the rest of the > network is down, and each system has it's own group of users who are > allowed to maintain it. the media servers in the livingroom are only > for my wife and I, but each person can modify the one in their own > bedroom and noone elses bedroom. Furthermore, the users must be > members of the group "Music" to be allowed to modify music, and the > group "Videos" to be allowed to modify videos. currently my setup > looks like this for rebirth: > > [videos] > comment = Rebirth local Videos > path = /media/local/videos > write list = @rebirth > force group = videos > create mask = 0664 > force create mode = 0664 > directory mask = 0775 > force directory mode = 0775 > > [music] > comment = Rebirth local Music > path = /media/local/music > write list = @rebirth > force group = music > create mask = 0664 > force create mode = 0664 > directory mask = 0775 > force directory mode = 0775 > > but my fear is that someone not in the music group will still be able > to write to the shares. is there a way to make it explicitly require > BOTH groups to allow writing?I'm not entirely sure what you are trying to do, let alone why it is a problem. Since you are sharing files via Samba, why are you using group access instead of user access rights? Why aren't you simply using user accounts to control access the way CIFS usually does it? Ignore the ZFS problems. If user A is in Music, then they have write access to the music share. If they are not then they have read access. Forcing the group simply overrides the whole point of having a group in the first place. You can set Guest OK to yes to give the world read access, or you can set a Read list in addition to the Write list.