Hi list I have trouble setting up the system permissions to be secure. Here my basic setup. 2 groups: users and staff /home/user should have the permissions user:users rwx------ /mnt/staff should have the permissions user:staff rwxrwx--- For the last one users should'nt have access. I test with fx.: user=staffuser, primarygroup: users, member of group: staff If i setup the permissions to the above suggested i can create files but can't change them. So it seems i have the right permissions to create files but afterwards i don't. The files are created with the right permissions, username and group: staffuser:staff. So why can't the staffuser who is in the staff group access the files after initial creation. The only solution i could find was to set permissions to 777. And that can't be right. My smb.conf: http://pastebin.com/m4a04dfd2 Thanks in advance. Dennis
On Tue, May 26, 2009 at 12:13 PM, Dennis Duggen <dennis@riberhusprivatskole.dk> wrote:> Hi list > > I have trouble setting up the system permissions to be secure. Here my > basic setup. > > 2 groups: users and staff > > /home/user should have the permissions user:users rwx------ > /mnt/staff should have the permissions user:staff rwxrwx--- > For the last one users should'nt have access. > > I test with fx.: user=staffuser, primarygroup: users, member of group: staff > > If i setup the permissions to the above suggested i can create files but > can't change them. So it seems i have the right permissions to create > files but afterwards i don't. The files are created with the right > permissions, username and group: staffuser:staff. > So why can't the staffuser who is in the staff group access the files > after initial creation. > > The only solution i could find was to set permissions to 777. And that > can't be right. > > My smb.conf: http://pastebin.com/m4a04dfd2I don't see any share for /home/user and /mnt/staff in your smb.conf. If create file in a share, what system permissions do you get? Paste rwx style.
Hi, I have a quite similar setup (maybe a littler bit more complex, since my users can also save files via SSH) and a problem, that I couldn't rename/ edit existing office (word/ excel/ ...) documents under windows XP. My solution was to disable 'nt acl support' by setting: nt acl support = no in the '[global]' section. Maybe this helps for you, since the problem sounds pretty much the same. Regards --- Mr. Olli On Tue, 2009-05-26 at 11:13 +0200, Dennis Duggen wrote:> Hi list > > I have trouble setting up the system permissions to be secure. Here my > basic setup. > > 2 groups: users and staff > > /home/user should have the permissions user:users rwx------ > /mnt/staff should have the permissions user:staff rwxrwx--- > For the last one users should'nt have access. > > I test with fx.: user=staffuser, primarygroup: users, member of group: staff > > If i setup the permissions to the above suggested i can create files but > can't change them. So it seems i have the right permissions to create > files but afterwards i don't. The files are created with the right > permissions, username and group: staffuser:staff. > So why can't the staffuser who is in the staff group access the files > after initial creation. > > The only solution i could find was to set permissions to 777. And that > can't be right. > > My smb.conf: http://pastebin.com/m4a04dfd2 > > Thanks in advance. > > Dennis
Am Dienstag 26 Mai 2009 11:13:13 schrieb Dennis Duggen:> Hi list > > I have trouble setting up the system permissions to be secure. Here my > basic setup. > > 2 groups: users and staff > > /home/user should have the permissions user:users rwx------ > /mnt/staff should have the permissions user:staff rwxrwx--- > For the last one users should'nt have access. > > I test with fx.: user=staffuser, primarygroup: users, member of group: > staff > > If i setup the permissions to the above suggested i can create files but > can't change them. So it seems i have the right permissions to create > files but afterwards i don't. The files are created with the right > permissions, username and group: staffuser:staff. > So why can't the staffuser who is in the staff group access the files > after initial creation. >You did look at the permissions the files had in the directory after they have been created by staffuser? I *suppose* the staffuser has the default umask of 022 which means no write permissions for group "staff" ... and since the parent directory belongs to "user", not "staffuser", no permission to modify/delete. We still don't know if you have applied some "force create ..." stanzas to the share in smb.conf or other directives to modify permissions.