The Ask
You have a disk directory shared among Linux and Microsoft Windows clients. Multiple users need access to this directory share, but when files are created or modified from the Linux clients the Linux file permissions are applied making it difficult or impossible for the Windows clients to access these files.
You would like to share these disk resources in a homogeneous fashion.
The Solution
Depending on your over-all maintenance strategy one of these following techniques may be used.
1. Forcing User or Group Ownership
In the file /etc/samba/smb.conf you can use the directive:
force user = [user] force group = [group]
This will override the normal file ownership attributes for file or directory access. Be default, the effective user credentials are used. By using either (or both) of the above directives, the associated credential can be coerced to a specific value. Thus, all the file accesses will be performed as though the accessing process was running with the specified credential.
If the directive takes the form:
force group = +[group]
then only Linux users who are already members of [group] will have their primary group changed to [group] for the duration of the access. Linux users not already members of the [group] are not affected by this directive.
2. Use The Directory Access Permissions
Consider the /tmp director: it is a scratchpad which allows multiple users to create, modify or delete files. To prevent user A from deleting a file owned by user B, the directory has the sticky bit set:
$ ls -ld /tmp drwxrwxrwt 14 root root 360 Mar 19 08:25 /tmp
Notice the t flag of the permissions: this indicates the “sticky” bit is set for the directory. Any user can create files in this directory, but only the owning user can delete the entry; without the sticky bit anyone could delete any file since the directory has world read/write/execute permissions.
1. One way to circumvent this issue is to have the shared SAMBA directory to be owned by the SAMBA user:
# /bin/mkdir [/path/to/SAMBA/share] # /bin/chown -R [user]:[group] -R [/path/to/SAMBA/share]
2. Next, turn on the setgid bit for the directory to force the group credentials of any directory entry to match the group credentials of that directory:
# /bin/chmod g+s [/path/to/SAMBA/share] # /bin/ls -ld [/path/to/SAMBA/share] drwxrws--- 1 [user] [group] 0 Mar 19 09:07 [/path/to/SAMBA/share]
3. Now create a file within the [/path/to/SAMBA/share] as the root user. The file will be owned by root but its group will be the [group] group:
# /bin/mkdir /example # /bin/chown root:oracle /example # /bin/chmod g+s /example # /bin/ls -ld /example drwxr-sr-x 2 root oracle 4096 Mar 19 10:03 /example
4. Lastly, create a file in /example as the root user:
# id uid=0(root) gid=0(root) groups=0(root) # touch /example/file # ls -ld /example /example/file drwxrws--- 2 root oracle 4096 Mar 19 10:09 /example -rw-r--r-- 1 root oracle 0 Mar 19 10:09 /example/file
Note that although the credentials used to create the file were root:root, the access credentials saved for the file were root:oracle; the group ownership was automatically set to the group of the directory.
Note
The setgid method described above also works if the setuid bit is used instead. In the chmod step, do this instead:
# chmod u+s [/path/to/SAMBA/share]
You could also override both the file ownership and group membership like this:
# chmod u+s,g+s [/path/to/SAMBA/share]
Although a fascinating capability, this may have limited utility.
3. Use Access Control Lists (ACL)
Access control lists, or ACL, are file system features where an extra set of file attributes stored in addition to the normal Linux file owner/group/other permissions. Using ACL allows a very fine-grained control over the exact type of access to be granted to a given access type.
The SAMBA file system implementation on Linux supports access control lists, but the feature must be explicitly enabled via the acl mount attribute. It is possible to enable this feature dynamically, as:
# mount -o remount,acl [/path/to/samba/mount/point]
As an example, suppose we have a share /samba/office/ where we permit any user to write a file, but the group credential should be forced to office. We could use the command:
# mount -o remount,acl /group # setfacl -R -d -m u::rwx,g:office:rwx,o::r-x /samba/office
# /bin/getfacl /samba/office # file: samba/office/ # owner: root # group: office user::rwx group::rwx other::rwx default:user::rwx default:group:office:rwx default:mask::rwx default:other::r-x
As we are establishing this ACL for the directory, it applies to its contained files and subdirectories.