How to share directories between groups of users using ACL
From openSUSE
Contents |
Introduction (How to share directories between groups of users using ACL)
As the server admin, there could be a situation where you need to setup a share directory between groups of users. Each with specific permissions.
So, here's the scenario:
3 groups:
- sales
- finance
- management
sales and finance can ONLY access their designated directories
management has FULL access to sales and finance directories
User in the same group can modify each other's files, but ONLY owner can delete files.
So, in order to achieve that, we need to set:
- Each file and directory created by the user should be owned by his group
- Each file and directory created by the user should be modifiable by peers in his group
Note: if the only access to the directory is through Samba, then Samba has many of its own mechanisms for doing similar things, but only on an entire share. The Samba SWAT tool is one way to edit the smb.conf file and configure the share.
Detail Procedure (do this as root)
1. Ensure you have ACLs enabled
For the filesystem that will contain the shared directory, you should ensure you have ACLs enable. With recent distributions of opensuse, enabling ACLs is the default, for older distributions, or for computers that have been upgraded from older distributions it is not the default.
For ext3 the easiest way to check this is:
cat /etc/fstab
You will see acl on the mount parameter of the filesystem:
/dev/sda2 / ext3 acl,user_xattr 1 1 /dev/sda3 /home ext3 acl,user_xattr 1 2
For XFS it is available by default.
For more information about ACLs, see SDB:POSIX Access Control List Support
2. Creating groups
groupadd sales
groupadd finance
groupadd management
3. Creating users
useradd -g sales sales1
useradd -g sales sales2
useradd -g finance finance1
useradd -g finance finance2
useradd -g management boss1
useradd -g management boss2
4. Creating directories
mkdir -p /sharedir/{sales,finance}
5. Setting ownership and permission on directories
chown .sales /sharedir/sales
chown .finance /sharedir/finance
chmod 3770 /sharedir/{sales,finance}
(The 3770 gives sticky bit so that only owner can delete, and sgid for inherit group ownership from parent dir)
6. Setting ACL
setfacl -d -m group:sales:rw /sharedir/sales
setfacl -d -m group:finance:rw /sharedir/finance
setfacl -d -m group:management:rw /sharedir/{sales,finance}
setfacl -m group:management:rwx /sharedir/{sales,finance}
The meaning of the first 2 above ACL commands is to set the default ACL for newly created files and subdirectories within the directory sales and finance such that they can be read/written by the sales and finance groups respectively.
The two last ACL command adds a default read/write permission to newly created files and subdirectories to give users in the management group rw access. The difference is that the one without the '-d' will give management group access right as named group. This is essential, otherwise management group will not be able to enter/edit in the directories.
If a sales or finance user creates a file that they do not want management to have access to, then after the file is created they can remove managements access via:
setfacl -x group:management <file>
7. Testing
- Switch to each user by su -, and then try to enter sales and finance dir. Should be successful only on dir with the same group.
- Switch to each user by su -, and then try to create file in the designated dir, and then switch to other user in the same group and try to modify the file, should be successful.
- Still as the above user, try to delete other's file, should be failed
- Testing as boss1 to enter sales and finance dir, and modify some files. It should work.
Example:
Let's say you are login as root, if you want to switch to sales1:
su - sales1
Conclusion and note
So, we can use ACL to tweak directory and file permission to meet our need. The ACL is compatible with Samba too. For additional info:
- man setfacl
- man getfacl
Hopefully this short writing helps.
Thank you for all friends in the OpenSuse mailing list.
Fajar Priyanto User_talk:Fajarpri
Keywords: acls | samba | getfacl | setfacl | chacl
| This article needs to be expanded. If you can help please do so in line with the openSUSE Style Guide.
If you are looking for something to do, see the other articles that need expanding |
This site uses the YAML CSS framework.
About openSUSE | Disclaimers | Feedback
This page was last modified 12:46, 5 June 2007. This page has been accessed 2,733 times.
