Group Level Permissions

dafyre

Re: Looking to have good and easy control over the shared folders [permissions] on File Server (Windows Server 2012).

@dafyre said in Looking to have good and easy control over the shared folders [permissions] on File Server (Windows Server 2012).:

@Dashrender said in Looking to have good and easy control over the shared folders [permissions] on File Server (Windows Server 2012).:

@dafyre said in Looking to have good and easy control over the shared folders [permissions] on File Server (Windows Server 2012).:

@Dashrender This doesn't help the OP, but it can definitely be done with SAMBA on Linux.

We do that here, and have to muck around with the department permissions and such from time-to-time.

I'd love to see a screen shot of how that looks at the share or folder level.

In the /etc/samba/smb.conf file, in our global section, we have

create mask = 0660
directory mask = 0770

Adjust permissions accordingly.

For what he wants, it'd likely be something like

create mask = 0650
directory mask = 0770

At the share level.

Edit: @Dashrender reminded me of one additional command that is needed to grant the groups appropriate access to groups for a folder.

The setfacl command.

@Dashrender mentioned to me offline that It'd be a good idea to get feedback on that command setup.

That is what we are doing here as best I can tell. My account doesn't have privileges to get at the File system ACLs.

Tagging @scottalanmiller and @JaredBusch

stacksofplates

Shouldn't the create mask be 0640?

We have project directories and they are managed with the setgid. That way the files are always owned by the user:project group.

You can use ACLs too, but you would need to set the default ACL at the top directory.

setfacl -dm g:groupname:rwX dir/

Dashrender

I don't understand how we get the end result previously asked for.

Bob - member of group1
John member of group2

Bob creates a file in folder \server\share\folder1\file1

The permissions on this should be bob = owner, group1 = R/W and group2 = read only

John creates a file in that same folder \server\share\folder1\file2

The permissions should be John = owner, group2 = R/W and group1 = read only

I don't see from those commands how the read only is applied to all other groups automatically, yet R/W is applied to the same group as the creator.

Someone might need to do a literal step by step break down so I can follow it - I R's linux dumb.

stacksofplates

@Dashrender said in Group Level Permissions:

I don't understand how we get the end result previously asked for.

Bob - member of group1
John member of group2

Bob creates a file in folder \server\share\folder1\file1

The permissions on this should be bob = owner, group1 = R/W and group2 = read only

John creates a file in that same folder \server\share\folder1\file2

The permissions should be John = owner, group2 = R/W and group1 = read only

I don't see from those commands how the read only is applied to all other groups automatically, yet R/W is applied to the same group as the creator.

Someone might need to do a literal step by step break down so I can follow it - I R's linux dumb.

In that case you would just change the ACL for the second group.

setfacl -dm g:group1:rwX /directory
setfacl -dm g:group2:r-X /directory
setfacl -dm o::- /directory

Now group 1 has rw, group2 has ro, and others have none.

As long as Bob and John are in the correct group, they will pull in the correct ACLs.

Here is what the ACLs will look like. (test directory I made). Media group has rw, qemu group is ro.

# file: test
# owner: jhooks
# group: jhooks
user::rwx
group::r-x
other::---
default:user::rwx
default:group::rwx
default:group:qemu:r-x
default:group:media:rwx
default:mask::rwx
default:other::---

Dashrender

@stacksofplates said in Group Level Permissions:

@Dashrender said in Group Level Permissions:

I don't understand how we get the end result previously asked for.

Bob - member of group1
John member of group2

Bob creates a file in folder \server\share\folder1\file1

The permissions on this should be bob = owner, group1 = R/W and group2 = read only

John creates a file in that same folder \server\share\folder1\file2

The permissions should be John = owner, group2 = R/W and group1 = read only

I don't see from those commands how the read only is applied to all other groups automatically, yet R/W is applied to the same group as the creator.

Someone might need to do a literal step by step break down so I can follow it - I R's linux dumb.

In that case you would just change the ACL for the second group.

setfacl -dm g:group1:rwX /directory
setfacl -dm g:group2:r-X /directory
setfacl -dm o::- /directory

Now group 1 has rw, group2 has ro, and others have none.

As long as Bob and John are in the correct group, they will pull in the correct ACLs.

Here is what the ACLs will look like. (test directory I made)

# file: test
# owner: jhooks
# group: jhooks
user::rwx
group::r-x
other::---
default:user::rwx
default:group::rwx
default:group:qemu:r-x
default:group:media:rwx
default:mask::rwx
default:other::---

using your example, the problem with this is that from your example the qemu group also needs to be able to put files into that directory, but if I'm reading this correct, they can only read files already there.

dafyre

@stacksofplates Right.

But Bob needs to be able to create files in that folder as well as John.

So John should be able to create and modify files that he owns, as well as those that are owned by his group.

Edit: I see your getfacl output now.

stacksofplates

@Dashrender said in Group Level Permissions:

@stacksofplates said in Group Level Permissions:

@Dashrender said in Group Level Permissions:

I don't understand how we get the end result previously asked for.

Bob - member of group1
John member of group2

Bob creates a file in folder \server\share\folder1\file1

The permissions on this should be bob = owner, group1 = R/W and group2 = read only

John creates a file in that same folder \server\share\folder1\file2

The permissions should be John = owner, group2 = R/W and group1 = read only

I don't see from those commands how the read only is applied to all other groups automatically, yet R/W is applied to the same group as the creator.

Someone might need to do a literal step by step break down so I can follow it - I R's linux dumb.

In that case you would just change the ACL for the second group.

setfacl -dm g:group1:rwX /directory
setfacl -dm g:group2:r-X /directory
setfacl -dm o::- /directory

Now group 1 has rw, group2 has ro, and others have none.

As long as Bob and John are in the correct group, they will pull in the correct ACLs.

Here is what the ACLs will look like. (test directory I made)

# file: test
# owner: jhooks
# group: jhooks
user::rwx
group::r-x
other::---
default:user::rwx
default:group::rwx
default:group:qemu:r-x
default:group:media:rwx
default:mask::rwx
default:other::---

using your example, the problem with this is that from your example the qemu group also needs to be able to put files into that directory, but if I'm reading this correct, they can only read files already there.

Ah ok. The only way to do that is with the sticky bit and that's per user.

Dashrender

OK @stacksofplates and I were talking - how about setting up folders like

\server\share\projects\project-abc\IT
\server\share\projects\project-abc\group1
\server\share\projects\project-abc\group2
etc

Then you set R/W to the department for each folder and read only to the rest.

yeah you'll have to dig a bit more to find who did what, but you get what you want permissions wise.

dafyre

@Dashrender That looks to be easier by far than setting up RBAC or mucking around with ACLs on a per-file basis.

Dashrender

@dafyre said in Group Level Permissions:

@Dashrender That looks to be easier by far than setting up RBAC or mucking around with ACLs on a per-file basis.

Yeah, the OP can thank @stacksofplates for the suggestion.