Jonathan Szalavecz
2024-Oct-24 13:55 UTC
[Samba] Optimal File Permissions for Shared Access Between Windows and Linux
I thought with the ACL it would be easier but it is the same nightmare :-( john_johnk at raspberrypi:~ $ getfacl /mnt/shared/partage_de_fichiers getfacl: Removing leading '/' from absolute path names # file: mnt/shared/partage_de_fichiers # owner: john_johnk # group: sharedaccess # flags: -s- user::rwx group::rwx other::--- default:user::rw- default:group::rw- default:group:sharedaccess:rw- default:mask::rw- default:other::--- but when I create a file from DatabaseShare ...the group is wrong and I have the x execution which comes from nowhere :-( john_johnk at raspberrypi:~ $ ls -l /mnt/shared/partage_de_fichiers total 102120 -rw-rwx---+ 1 john_johnk john_johnk?????? 73979 Oct 10? 2016 'Facture RAM_2.pdf' -rw-rwx---+ 1 john_johnk john_johnk????? 125627 Dec? 2? 2021 'Facture Tennis RNS21.pdf' Le 10/24/2024 ? 12:08 AM, Jonathan Szalavecz via samba a ?crit?:> Hi Rowland, > > I've been working with the ACLs, and everything looks good! It seems I > can now proceed with your Samba configuration. > > [global] > ?? min protocol = SMB3 > ## Browsing/Identification ### > > # Change this to the workgroup/NT-domain name your Samba server will > part of > ?? workgroup = WORKGROUP > ?? vfs objects = catia fruit streams_xattr acl_xattr > ?? fruit:delete_empty_adfiles = yes > ?? fruit:metadata = stream > ?? fruit:nfs_aces = no > ?? fruit:veto_appledouble = no > ?? fruit:wipe_intentionally_left_blank_rfork = yes > ?? map acl inherit = Yes > > [NAS] > ?? comment = RaspberryPi > ?? path = /mnt/shared > ?? read only = no > > [DatabaseShare] > ?? comment = Database File Share > ?? path = /mnt/shared/partage_de_fichiers > ?? read only = no > > Here are a few examples of the ACLs: > > The directory I need to share with my wife > > # file: mnt/shared/partage_de_fichiers > # owner: john_johnk > # group: sharedaccess > # flags: -s- > user::rwx > group::rwx > other::--- > > An utility directory > file: mnt/shared/Utilitaires PC > # owner: john_johnk > # group: john_johnk > user::rwx > group::--- > other::--- > > A db file > > # file: mnt/shared/Database.kdbx > # owner: john_johnk > # group: john_johnk > user::rw- > group::--- > other::--- > > The overall /mnt/shared > # file: mnt/shared > # owner: john_johnk > # group: sharedaccess > user::rwx > user:john_johnk:rwx > group::rwx > mask::rwx > other::--- > > Let me know if you need any further adjustments! > > Best, > John > > > > > Le 10/21/2024 ? 10:49 AM, Rowland Penny via samba a ?crit?: >> Sorry about that, I missed that out, try this one: >> >> [global] >> ? ?? workgroup = WORKGROUP >> ? ?? vfs objects = catia fruit streams_xattr >> ? ?? fruit:delete_empty_adfiles = yes >> ? ?? fruit:metadata = stream >> ? ?? fruit:nfs_aces = no >> ? ?? fruit:veto_appledouble = no >> ? ?? fruit:wipe_intentionally_left_blank_rfork = yes >> >> [NAS] >> ? ?? comment = RaspberryPi >> ? ?? path = /mnt/shared >> ? ?? read only = no >> ? ?? create mask = 0600 >> ? ?? directory mask = 0700 >> >> [DatabaseShare] >> ? ?? comment = Database File Share >> ? ?? path = /mnt/shared/partage_de_fichiers >> ? ?? read only = no >> ? ?? create mask = 0660 >> ? ?? directory mask = 0770 >> ? ?? force group = sharedaccess >> ? ?? force create mode = 0660 >> >> The major problem people have with Samba is that they say it is hard >> to configure, all those parameters to set, totally missing that >> mostly they are setting defaults that do not need to be manually set. >> You also may find it easier if you also install the acl and attr >> packages (they may be already installed) and use acl_xattr, so that: >> >> vfs objects = catia fruit streams_xattr >> >> Becomes: >> >> vfs objects = catia fruit streams_xattr acl_xattr >> map acl inherit = Yes >> >> Then read up on setfacl and getfacl. These will allow you to set >> finer control on your directories and files. >> You would then not require the 'create', 'directory' & 'force' lines. >> >> Rowland
Rowland Penny
2024-Oct-25 09:09 UTC
[Samba] Optimal File Permissions for Shared Access Between Windows and Linux
On Thu, 24 Oct 2024 15:55:41 +0200 Jonathan Szalavecz via samba <samba at lists.samba.org> wrote:> I thought with the ACL it would be easier but it is the same > nightmare :-( > > > john_johnk at raspberrypi:~ $ getfacl /mnt/shared/partage_de_fichiers > getfacl: Removing leading '/' from absolute path names > # file: mnt/shared/partage_de_fichiers > # owner: john_johnk > # group: sharedaccess > # flags: -s- > user::rwx > group::rwx > other::--- > default:user::rw- > default:group::rw- > default:group:sharedaccess:rw- > default:mask::rw- > default:other::--- > > > but when I create a file from DatabaseShare ...the group is wrong and > I have the x execution which comes from nowhere :-( > > > john_johnk at raspberrypi:~ $ ls -l /mnt/shared/partage_de_fichiers > total 102120 > > -rw-rwx---+ 1 john_johnk john_johnk?????? 73979 Oct 10? 2016 'Facture > RAM_2.pdf' > -rw-rwx---+ 1 john_johnk john_johnk????? 125627 Dec? 2? 2021 'Facture > Tennis RNS21.pdf' >One of your problems is that you are are these paths for the shares: /mnt/shared /mnt/shared/partage_de_fichiers So, anyone that needs to get into partage_de_fichiers has to traverse /mnt/shared I would have used: /mnt/shared/nas /mnt/shared/partage_de_fichiers This would have lead to /mnt/shared being owned by root:root with '0755' permissions, this would then have given 'others' the right to traverse to the required directory. Then use the same ownership for the sub directories (which would seemingly stop anyone writing to the directory), then use 'setfacl' to give the USER the required permissions. Rowland
Possibly Parallel Threads
- Optimal File Permissions for Shared Access Between Windows and Linux
- Optimal File Permissions for Shared Access Between Windows and Linux
- Optimal File Permissions for Shared Access Between Windows and Linux
- Optimal File Permissions for Shared Access Between Windows and Linux
- Optimal File Permissions for Shared Access Between Windows and Linux