Yvan Masson
2019-Aug-09 19:18 UTC
[Samba] Standalone server and POSIX ACL issues (new one)
Hi list, For testing purpose, I am running a standalone Samba 4.9.5 on Debian with the following smb.conf: [global] server role = standalone server map to guest = Bad User guest account = nobody [test] path = /home/yvan/Partage/share guest ok = yes writable = yes inherit acls = yes I want "bob", "alice" and guest user to have full access to all files in this share, so I made /home/yvan/share with the following ACL: $ getfacl share # file: share # owner: root # group: root user::rwx user:bob:rwx user:alice:rwx user:nobody:rwx group::r-x mask::rwx other::--- default:user::rwx default:user:bob:rwx default:user:alice:rwx default:user:nobody:rwx default:group::--- default:mask::rwx default:other::--- I have two issues with this setup that I could not solve after many hours: 1. I can mount the share as guest but then can't read its content, although local access works fine (for example with `$ sudo -u nobody touch /home/yvan/share/foo`). 2. If user "bob" or "alice" creates a directory or a file, ACL mask is not "rwx" but "r-x" for directories and "r--" for files (which restricts effective rights). All other ACL are correct. Note that when creating files or directories locally, ACL mask is properly setup to "rwx". Any idea is really welcome ! Best regards, Yvan
Rowland penny
2019-Aug-09 19:36 UTC
[Samba] Standalone server and POSIX ACL issues (new one)
On 09/08/2019 20:18, Yvan Masson via samba wrote:> Hi list, > > For testing purpose, I am running a standalone Samba 4.9.5 on Debian > with the following smb.conf: > > [global] > server role = standalone server > map to guest = Bad User > guest account = nobodyThat is the standard guest account> > [test] > path = /home/yvan/Partage/share > guest ok = yes > writable = yes > inherit acls = yes > > > I want "bob", "alice" and guest user to have full access to all files > in this share, so I made /home/yvan/share with the following ACL:No, you don't, all right you do, but you shouldn't ;-) ?Either use authentication for the share, or allow guest access, not both.> $ getfacl share > # file: share > # owner: root > # group: root > user::rwx > user:bob:rwx > user:alice:rwx > user:nobody:rwx > group::r-x > mask::rwx > other::--- > default:user::rwx > default:user:bob:rwx > default:user:alice:rwx > default:user:nobody:rwx > default:group::--- > default:mask::rwx > default:other::--- > > > I have two issues with this setup that I could not solve after many hours:No, you have one big issue, you are not using the ACLs you have set, well not with Samba anyway, you will need to add: ??? vfs objects = acl_xattr ??? map acl inherit = Yes to [global] in smb.conf Rowland
subscriptions
2019-Aug-09 20:32 UTC
[Samba] Standalone server and POSIX ACL issues (new one)
On 8/9/19 3:18 PM, Yvan Masson via samba wrote:> Hi list, > > For testing purpose, I am running a standalone Samba 4.9.5 on Debian > with the following smb.conf: > > [global] > server role = standalone server > map to guest = Bad User > guest account = nobody > > [test] > path = /home/yvan/Partage/share > guest ok = yes > writable = yes > inherit acls = yes > > > I want "bob", "alice" and guest user to have full access to all files > in this share, so I made /home/yvan/share with the following ACL: > $ getfacl share > # file: share > # owner: root > # group: root > user::rwx > user:bob:rwx > user:alice:rwx > user:nobody:rwx > group::r-x > mask::rwx > other::--- > default:user::rwx > default:user:bob:rwx > default:user:alice:rwx > default:user:nobody:rwx > default:group::--- > default:mask::rwx > default:other::--- > > > I have two issues with this setup that I could not solve after many > hours: > > 1. I can mount the share as guest but then can't read its content, > although local access works fine (for example with `$ sudo -u nobody > touch /home/yvan/share/foo`). > > 2. If user "bob" or "alice" creates a directory or a file, ACL mask is > not "rwx" but "r-x" for directories and "r--" for files (which > restricts effective rights). All other ACL are correct. Note that when > creating files or directories locally, ACL mask is properly setup to > "rwx". > > Any idea is really welcome ! > > Best regards, > Yvan >Yvan, What I do is create two groups. First group has full access. The other group have the normal permissions besides Bob and Alice. I think it gives you better control over the users. They come and go so its easier to drop them from and group and add them to another. IMHO
Yvan Masson
2019-Aug-09 20:34 UTC
[Samba] Standalone server and POSIX ACL issues (new one)
Le 09/08/2019 ? 21:36, Rowland penny via samba a ?crit?:> On 09/08/2019 20:18, Yvan Masson via samba wrote: >> Hi list, >> >> For testing purpose, I am running a standalone Samba 4.9.5 on Debian >> with the following smb.conf: >> >> [global] >> server role = standalone server >> map to guest = Bad User >> guest account = nobody > That is the standard guest account >> >> [test] >> path = /home/yvan/Partage/share >> guest ok = yes >> writable = yes >> inherit acls = yes >> >> >> I want "bob", "alice" and guest user to have full access to all files >> in this share, so I made /home/yvan/share with the following ACL: > > No, you don't, all right you do, but you shouldn't ;-) > > ?Either use authentication for the share, or allow guest access, not both.Yes I admit this test setup is not very realistic. A valid setup would be read/write for authenticated users and read only for guests: # file: test # owner: root # group: root user::rwx user:bob:rwx user:alice:rwx user:nobody:r-x group::r-x mask::rwx other::--- default:user::rwx default:user:bob:rwx default:user:alice:rwx default:user:nobody:r-x default:group::--- default:mask::rwx default:other::--- Unfortunately I have the same problem: guest can mount but not read share contents.> >> $ getfacl share >> # file: share >> # owner: root >> # group: root >> user::rwx >> user:bob:rwx >> user:alice:rwx >> user:nobody:rwx >> group::r-x >> mask::rwx >> other::--- >> default:user::rwx >> default:user:bob:rwx >> default:user:alice:rwx >> default:user:nobody:rwx >> default:group::--- >> default:mask::rwx >> default:other::--- >> >> >> I have two issues with this setup that I could not solve after many >> hours: > > No, you have one big issue, you are not using the ACLs you have set, > well not with Samba anyway, you will need to add: > > ??? vfs objects = acl_xattr > ??? map acl inherit = Yes > > to [global] in smb.conf >Aaaaah wonderful! :-D Those parameters are not mentioned on "Setting up a Share Using POSIX ACLs" page in the wiki: can I add those or do you prefer to do it? (I am sure you explanations would be better than mine). Yvan
Yvan Masson
2019-Aug-10 08:43 UTC
[Samba] Standalone server and POSIX ACL issues (new one)
Le 09/08/2019 ? 22:32, subscriptions via samba a ?crit?:> On 8/9/19 3:18 PM, Yvan Masson via samba wrote: >> Hi list, >> >> For testing purpose, I am running a standalone Samba 4.9.5 on Debian >> with the following smb.conf: >> >> [global] >> server role = standalone server >> map to guest = Bad User >> guest account = nobody >> >> [test] >> path = /home/yvan/Partage/share >> guest ok = yes >> writable = yes >> inherit acls = yes >> >> >> I want "bob", "alice" and guest user to have full access to all files >> in this share, so I made /home/yvan/share with the following ACL: >> $ getfacl share >> # file: share >> # owner: root >> # group: root >> user::rwx >> user:bob:rwx >> user:alice:rwx >> user:nobody:rwx >> group::r-x >> mask::rwx >> other::--- >> default:user::rwx >> default:user:bob:rwx >> default:user:alice:rwx >> default:user:nobody:rwx >> default:group::--- >> default:mask::rwx >> default:other::--- >> >> >> I have two issues with this setup that I could not solve after many >> hours: >> >> 1. I can mount the share as guest but then can't read its content, >> although local access works fine (for example with `$ sudo -u nobody >> touch /home/yvan/share/foo`). >> >> 2. If user "bob" or "alice" creates a directory or a file, ACL mask is >> not "rwx" but "r-x" for directories and "r--" for files (which >> restricts effective rights). All other ACL are correct. Note that when >> creating files or directories locally, ACL mask is properly setup to >> "rwx". >> >> Any idea is really welcome ! >> >> Best regards, >> Yvan >> > Yvan, > > What I do is create two groups. First group has full access. The other > group have the normal permissions besides Bob and Alice. > > I think it gives you better control over the users. They come and go so > its easier to drop them from and group and add them to another. >You are right, using group is usually the way to go, but I sometimes need to give access to only some users, unrelated to the groups that can exist (for example for a particular project or application). Yvan