Hello I've a Samba server up and running (version 3.0.20b .deb found on samba.org on a Debian Sarge), but it's not yet in production cause I'm not satisfied with some file permissions. The file permission I'd like to have would require to have files and directories to inherit owner user and and owner group, with rights 770 and root.root as the owner. And the users rights being given trought the "inherit acls" option. The problem is "inherit owner" just works for the owner user, not the owner group, so a patch to add an "inherit owner group" option would be very useful. For the ones who want the full details here it goes: We have one share per service (IT, R&D, commercial...). In each service the followin top level directories are created by by admin with the following rights, that can't be changed by users: - archives : One directory per year, with a service private data and a service public data directories, files not needed any more are archived here at the begening of each year. Same rights as bellow, with read write access becoming read access. - service stuff : Service stuff not submited to our quality process. Read write access for domain admins and service users. - service private data : Service private data submited to our quality process. Read write access for domain admins and service users, read access to quality service members. - service public data : Service public data (to share with other services) submited to our quality process. Read write access for domain admins and service users, read access to domain users. - service templates : Service Office and other software documents templates. Read write access for domain admins and the person responsible for the templates update, read access to domain users. I've not found something better than what I exposed at the begining. The problem with inherit owner not working for group owner is that any new created file belongs to the "Domain Users" (primary group for every user, many users belong to more than one service) with inherited rwx rights thus breaking access rights rules I want. Thanks in advance
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 initiators@free.fr wrote: | so a patch to add an "inherit owner group" option | would be very useful. Unix file systems already support this with the group ID bit. Just "chmod g+s dirname". cheers, jerry ====================================================================Alleviating the pain of Windows(tm) ------- http://www.samba.org GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc "There's an anonymous coward in all of us." --anonymous -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDgeTFIR7qMdg1EfYRArgQAKDw6ohGvmPEpeTe3LLV13F5iFgiFwCfeklo wE9+i8NxQ1YzVwfYWEIWEM4=QQr1 -----END PGP SIGNATURE-----
On Mon, Nov 21, 2005 at 03:24:06PM +0100, initiators@free.fr wrote:> Hello > > I've a Samba server up and running (version 3.0.20b .deb found on > samba.org on a Debian Sarge), but it's not yet in production cause I'm > not satisfied with some file permissions. > > The file permission I'd like to have would require to have files and > directories to inherit owner user and and owner group, with rights 770 > and root.root as the owner. And the users rights being given trought the > "inherit acls" option. > The problem is "inherit owner" just works for the owner user, not the > owner group, so a patch to add an "inherit owner group" option would be > very useful.You do this using normal unix machanisms - this is already built into the filesystem. Set the SGID bit on the directory. I don't want to add Samba options that duplicate filesystem features. Jeremy.
initiators@free.fr schrieb:> Hello > > I've a Samba server up and running (version 3.0.20b .deb found on > samba.org on a Debian Sarge), but it's not yet in production cause I'm > not satisfied with some file permissions. > > The file permission I'd like to have would require to have files and > directories to inherit owner user and and owner group, with rights 770 > and root.root as the owner. And the users rights being given trought the > "inherit acls" option. > The problem is "inherit owner" just works for the owner user, not the > owner group, so a patch to add an "inherit owner group" option would be > very useful. > > > For the ones who want the full details here it goes: > > We have one share per service (IT, R&D, commercial...). > In each service the followin top level directories are created by by > admin with the following rights, that can't be changed by users: > - archives : One directory per year, with a service private data and a > service public data directories, files not needed any more are archived > here at the begening of each year. Same rights as bellow, with read > write access becoming read access. > - service stuff : Service stuff not submited to our quality process. > Read write access for domain admins and service users. > - service private data : Service private data submited to our quality > process. Read write access for domain admins and service users, read > access to quality service members. > - service public data : Service public data (to share with other > services) submited to our quality process. Read write access for domain > admins and service users, read access to domain users. > - service templates : Service Office and other software documents > templates. Read write access for domain admins and the person > responsible for the templates update, read access to domain users. > > I've not found something better than what I exposed at the begining. > > The problem with inherit owner not working for group owner is that any > new created file belongs to the "Domain Users" (primary group for every > user, many users belong to more than one service) with inherited rwx > rights thus breaking access rights rules I want. >Why not defining it explicitely in smb.conf? I'm happy with the folowing: [mygroupshare] comment = My Group path = /data/shares/mygroup writable = yes valid users = @mygroup @admins create mode = 0660 directory mode = 0770 force directory mode = 2000 force group = mygroup Thomas
Thomas Heiligenmann wrote:> initiators@free.fr schrieb: >> For the ones who want the full details here it goes: >> >> We have one share per service (IT, R&D, commercial...). >> In each service the followin top level directories are created by by >> admin with the following rights, that can't be changed by users: >> - archives : One directory per year, with a service private data and a >> service public data directories, files not needed any more are archived >> here at the begening of each year. Same rights as bellow, with read >> write access becoming read access. >> - service stuff : Service stuff not submited to our quality process. >> Read write access for domain admins and service users. >> - service private data : Service private data submited to our quality >> process. Read write access for domain admins and service users, read >> access to quality service members. >> - service public data : Service public data (to share with other >> services) submited to our quality process. Read write access for domain >> admins and service users, read access to domain users. >> - service templates : Service Office and other software documents >> templates. Read write access for domain admins and the person >> responsible for the templates update, read access to domain users. >> >> I've not found something better than what I exposed at the begining. >> >> The problem with inherit owner not working for group owner is that any >> new created file belongs to the "Domain Users" (primary group for every >> user, many users belong to more than one service) with inherited rwx >> rights thus breaking access rights rules I want. >> > > Why not defining it explicitely in smb.conf? I'm happy with the folowing: > > [mygroupshare] > comment = My Group > path = /data/shares/mygroup > writable = yes > valid users = @mygroup @admins > create mode = 0660 > directory mode = 0770 > force directory mode = 2000 > force group = mygroup > > > Thomas > >It's explained in the "details" part. There is one share per services, but there are people not member of the service accessing the share.