• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How To Force User/Group Ownership Of Files On A Samba Share

by admin

The Ask

You have a disk directory shared among Linux and Microsoft Windows clients. Multiple users need access to this directory share, but when files are created or modified from the Linux clients the Linux file permissions are applied making it difficult or impossible for the Windows clients to access these files.

You would like to share these disk resources in a homogeneous fashion.

The Solution

Depending on your over-all maintenance strategy one of these following techniques may be used.

1. Forcing User or Group Ownership

In the file /etc/samba/smb.conf you can use the directive:

force user = [user]
force group = [group]

This will override the normal file ownership attributes for file or directory access. Be default, the effective user credentials are used. By using either (or both) of the above directives, the associated credential can be coerced to a specific value. Thus, all the file accesses will be performed as though the accessing process was running with the specified credential.

If the directive takes the form:

force group = +[group]

then only Linux users who are already members of [group] will have their primary group changed to [group] for the duration of the access. Linux users not already members of the [group] are not affected by this directive.

2. Use The Directory Access Permissions

Consider the /tmp director: it is a scratchpad which allows multiple users to create, modify or delete files. To prevent user A from deleting a file owned by user B, the directory has the sticky bit set:

$ ls -ld /tmp
drwxrwxrwt 14 root root 360 Mar 19 08:25 /tmp

Notice the t flag of the permissions: this indicates the “sticky” bit is set for the directory. Any user can create files in this directory, but only the owning user can delete the entry; without the sticky bit anyone could delete any file since the directory has world read/write/execute permissions.

1. One way to circumvent this issue is to have the shared SAMBA directory to be owned by the SAMBA user:

# /bin/mkdir [/path/to/SAMBA/share]
# /bin/chown -R [user]:[group] -R [/path/to/SAMBA/share]

2. Next, turn on the setgid bit for the directory to force the group credentials of any directory entry to match the group credentials of that directory:

# /bin/chmod g+s [/path/to/SAMBA/share]
# /bin/ls -ld [/path/to/SAMBA/share]
drwxrws--- 1 [user] [group] 0 Mar 19 09:07 [/path/to/SAMBA/share]

3. Now create a file within the [/path/to/SAMBA/share] as the root user. The file will be owned by root but its group will be the [group] group:

# /bin/mkdir /example
# /bin/chown root:oracle /example
# /bin/chmod g+s /example
# /bin/ls -ld /example
drwxr-sr-x 2 root oracle 4096 Mar 19 10:03 /example

4. Lastly, create a file in /example as the root user:

# id
uid=0(root) gid=0(root) groups=0(root)
# touch /example/file
# ls -ld /example /example/file
drwxrws--- 2 root oracle 4096 Mar 19 10:09 /example
-rw-r--r-- 1 root oracle    0 Mar 19 10:09 /example/file

Note that although the credentials used to create the file were root:root, the access credentials saved for the file were root:oracle; the group ownership was automatically set to the group of the directory.

Note

The setgid method described above also works if the setuid bit is used instead. In the chmod step, do this instead:

# chmod u+s [/path/to/SAMBA/share]

You could also override both the file ownership and group membership like this:

# chmod u+s,g+s [/path/to/SAMBA/share]

Although a fascinating capability, this may have limited utility.

3. Use Access Control Lists (ACL)

Access control lists, or ACL, are file system features where an extra set of file attributes stored in addition to the normal Linux file owner/group/other permissions. Using ACL allows a very fine-grained control over the exact type of access to be granted to a given access type.

The SAMBA file system implementation on Linux supports access control lists, but the feature must be explicitly enabled via the acl mount attribute. It is possible to enable this feature dynamically, as:

# mount -o remount,acl [/path/to/samba/mount/point]

As an example, suppose we have a share /samba/office/ where we permit any user to write a file, but the group credential should be forced to office. We could use the command:

# mount -o remount,acl /group
# setfacl -R -d -m u::rwx,g:office:rwx,o::r-x /samba/office
# /bin/getfacl /samba/office
# file: samba/office/
# owner: root
# group: office
user::rwx
group::rwx
other::rwx
default:user::rwx
default:group:office:rwx
default:mask::rwx
default:other::r-x

As we are establishing this ACL for the directory, it applies to its contained files and subdirectories.

Filed Under: Linux

Some more articles you might also be interested in …

  1. How to install and configure VNC Server on CentOS/RHEL 8
  2. How to Check whether SELinux is Enabled or Disabled
  3. CentOS / RHEL 6 : How to completely remove device mapper multipath (dm-multipath)
  4. How to configure Partitioned Block Devices (Non-ASMLIB) And Assign Them To ASM
  5. Manual Changes Made To /etc/hosts Or /etc/sysconfig/network-scripts/ifcfg-* Are Lost
  6. CentOS / RHEL : How to install Open Virtual Machine Tools for Virtual machines Hosted on VMWare
  7. lsattr Command Examples in Linux
  8. The ultimate Linux interview questions : swap
  9. “Failed to start test.mount: Unit is not loaded properly: Invalid argument.” – While mounting a fileystem using systemd
  10. Beginners Guide to Udev in Linux

You May Also Like

Primary Sidebar

Recent Posts

  • vgextend Command Examples in Linux
  • setpci command – configure PCI device
  • db_load command – generate db database
  • bsdtar command – Read and write tape archive files

© 2022 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright