Wednesday, September 19, 2012

Permissions of Linux file system and Samba

After my new solid state disk lost my linux server installation I had to find a solution to go on running my server on any kind disk or device. My seldom used USB stick now bridges the time span until my SSD returns from the producer. In this context I had to setup again the Samba share of my home server which I exlpaind in the last post. Now I got some new experiences with permissions and Samba which I want to exlpain now.


Actually my files are stored in ext4 Linux file system. Typically Linux or Unix file systems only have the model of only one owner, one group and the rest of the world (others).
As I want to share some of my files in my private network with other client systems, e.g. Windows, I'm using Samba, which is (not only) a windows conform file server. When Windows (or Samba) considers permissions of files, it does it with a much more complex concept. Finally the so called effective permissions are those permissions of a file being analyzed when a user wants to access it. The effective permissions are made up of the share permissions and NTFS permissions.
I don't want to explain how these permission concepts work (you can read this at http://www.mcmcse.com/microsoft/guides/ntfs_and_share_permissions.shtml). Instead I want to come to another Linux topic dealing with these different permission concepts of the different operating systems. As you maybe know NTFS permissions allow an administrator to adjust permissions on files very detailed. To overcome the simplicity of the user-group-others Linux file permissions model there are File Access Controll Lists (ACLs). In Combination with a special configuration of a Samba share you can configure permissions as much detailed as you can do it with Windows. But step by step.

First you have to do two things to work with ACLs:
  • Install ACL tooling (sudo ap-get install acl)
  • Mount the partition that contains the directory to be configured with ACLs with a special option. In order to do this open the file /etc/fstab (maybe you do a backup before editing) and add "acl" as another mounting option spereated by a comma to the entry for the corresponding partition. In my case the modified line lokks as follows:
UUID=<The uuid for the partition>   /media/data   ext4   defaults,acl   0   2

Now the task is again to create a new shared directory where different users can create, modify and delete files and directories. To do so first the directory is created.

$sudo mkdir /media/data/share

For the following steps it is expected to have a user_x (or any other ;-) ) and a group (maybe the group users) where all users belong to that shall be allowed to work with the shares. Now the owner and group of the directory is changed as follows.

$sudo chown -R user_x:users /media/data/share

To let all (by different user that are members of the group users) created files have the group set before the SetGroupID (SGID) bit is set with the following command.

$sudo chmod -R g+s /media/data/share

When a user_x creates a subdirectory (e.g. /media/data/share/music) in the share directory, you will notice that the directory would have the permissions rwxr-xr-x, if you only configure permissions with chmod like this:

$sudo chmod -R g+rwx /media/data/share

If you have come to this point you will maybe understand the difference between NTFS permissions and Linux file permissions. When you create a new subdirectory with NTFS the permissions of the parent directory are passed to the new created directory by default. If you do this with a Linux file system like ext4 the so called user mask (umask) is used to determine the permissions to pass to the new created directory. By default the umask is set to 022. This means groups and others will be denied write permissions. Here the ACLs help to mediate between the different concepts when you share data with different systems.

The ACL tools give you options to query and change ACLs. The following paragraph shows you how you can get the actual ACL for the music directory, that you maybe created directory.

$getfacl /media/data/share/music
# file: media/data/share/music
# owner: user_x
# group: users
# flags: -s-
user::rwx
group::r-x
other::r-x

You see that user_x is the owner and only he has the option to read, write and execute files. Members of the same group only are allowed to read and execute files. This means the user user_y also belonging to the group users, won't be able to create files in that new created music directory.

To let new files and directories inherit special permissions at creation point you can set so called default permissions that will be applied to new created files and directories. You can do it with the following command:

$sudo setfacl -Rdm g::rwx /media/data/share

The result can be checked with getfacl again:

$getfacl /media/data/share
# file: media/data/share
# owner: user_x
# group: users
# flags: -s-
user::rwx
group::rwx
other::r-x
default:user::rwx
default:group::rwx
default:other::r-x

If you create now the directory /media/data/share/videos you will see that the default permissions have been applied to the regular permissions of the directory. This is the base ACL configuration to be done when you then come to Samba.

In my last post I wrote the following two lines to be added to a share declaration in the file /etc/samba/smb.conf to get the multi system share solved.

create mask = 0775
directory mask = 0775

But with the ACLs as a tool for permission configuration and another option in Samba it is much better to configure permissions. Actually it is not really elegant to once setup permissions via linux tools and then do the same work again in a samba configuration file. It would be more comfortable when we could use our ACL configuration again. Fortunately I discovered the following two Samba settings to use the ACLs:

inherit permissions = yes
inherit acls = yes

This is the replacement for the above mentioned two lines. With setfacl you could also configure more special permissions like you would do it with NTFS. Here only a few examples:

$sudo setfacl -Rm u:bob:rwx /media/data/share

The user bob gets read, write and execute permissions, although he maybe isn't a member of the group users.

$sudo setfacl -Rm g:guests:r-x /media/data/share

The group guests gets only read and execute permissions. Assumed that others would haven't any permissions this makes sense.

I hope I could explain the problem and the solution for, of sharing data over different (file/operating) systems in a understandable way. If anyone discovers a mistake please let me know of it.

No comments:

Post a Comment