[plug] Permissions on group writable directories, ACLs, NFS and Samba

Simon Newton newtons at iinet.net
Wed Jul 27 09:51:48 WST 2005 

Hi List,

I've got a system with a directory that all members of a group (say
accounts) should have write access to.

Currently it's setup like so:

rwxrws---  2 root accounts 4096 2005-07-23 15:24 accounts

The primary group of each user is a group by the same name, and the
umask is set to 0002. This all works well as the system home directories
are kept read/writable by only the user, and files created in the shared
directories have the correct permissions set

The home and shared directories is shared via Samba and NFS to the
client workstations.

The system is using LDAP for authentication. For a small number of users I
didn't mind creating a new group for each user, but it's quickly becoming
annoying. I'd much prefer if all users had a primary group of staff for
example.

Unfortunately I can't see how the above example will work if this is the
case. Here is my reasoning:

If the user's primary group is staff, they can't have a umask of 0002 as
it will make home directories writable by all members of the group. So
the umask must be 0022.

Which means I now need to force group read/write permissions on files
created with the accounts directory. This is easy enough to do under
Samba (force create mask) but I couldn't see a way to do a similar thing
under Linux (for the NFS clients).

Until I found out about POSIX acls. Setting the default mask does
exactly what I want. All files created within the shared directories
have to correct permissions.

But now it doesn't look like POSIX acls are supported by NFS. So now I'm
thinking of just using Samba to share the filesystem, and using pam_mount to
make sure the correct shares are mounted upon logon.

I really must have missed something simple here. It seems like a lot of effort
to get something really simple to work :(

Can anyone shed some light on this ?

Regards,

Simon

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20050727/7a3ca246/attachment.html>

More information about the plug mailing list