Professional Web Applications Themes

restricting access to subdirectory globally accessible - Linux / Unix Administration

[apologies if this is multi-posted - I had some errors with linux.samba] I have a samba server that shares a directory called "projects", subdirectories of which are, funnily enough, each project for our company. Each project's directory has a file heirarchy like this: job no & name - correspondence - certificates - email-attachments-in - email-attachments-out - faxes - fee-proposals - letters - reports - specifications - design - spreadsheets - ysis - drawings - photos and so on. Everyone is a member of group "staff", there are some users that are also members of group "admin" who I want to ...

  1. #1

    Default restricting access to subdirectory globally accessible

    [apologies if this is multi-posted - I had some errors with linux.samba]

    I have a samba server that shares a directory called "projects",
    subdirectories of which are, funnily enough, each project for our
    company. Each project's directory has a file heirarchy like this:

    job no & name - correspondence - certificates
    - email-attachments-in
    - email-attachments-out
    - faxes
    - fee-proposals
    - letters
    - reports
    - specifications
    - design - spreadsheets
    - ysis
    - drawings
    - photos

    and so on. Everyone is a member of group "staff", there are some users
    that are also members of group "admin" who I want to be the only ones
    that can access the "fee-proposals" directory (at present everyone can
    access it and the bosses don't like that).

    Here is the current extract from /etc/samba/smb.conf :

    [Projects]
    comment = Projects Directory
    path = /office/projects
    public = no
    writable = yes
    write list = staff
    create mask = 0775
    directory mask = 0775
    force create mode = 0660
    force directory mode = 0770

    I don't know how to have different permissions on the subdir.

    Thanks. Not sure if I posted enough details here - let me know if more
    info required.

    --
    Troy Piggins
    Where I live: 27 27 44 S 153 02 28 E
    http://earth.google.com
    Troy Guest

  2. #2

    Default Re: restricting access to subdirectory globally accessible

    In article <com>,
    Troy Piggins <com> wrote:
     

    You could change the group owner of the fee-proposals directory to
    "admin", with a specific person or account being the directories owner.
    That way, staff won't have access, just "admin". The problem is that
    jobs will have to have a fixed structure to which it must be adhered to
    maintain this security. Either create new jobs directories with a
    script or use a blank one and duplicate it.

    I originally though ACLs might be useful here, but I don't know if Linux
    (what version of the kernel) would implement it correctly nor if Samba
    would utilize them. They work on Solaris 7 with Samba, but Linux is a
    different, somewhat flaky beast. But you should be OK with regular
    groups and permissions here.

    --
    DeeDee, don't press that button! DeeDee! NO! Dee...



    Michael Guest

  3. #3

    Default Re: restricting access to subdirectory globally accessible

    * Michael Vilain wrote: 
    >
    > You could change the group owner of the fee-proposals directory to
    > "admin", with a specific person or account being the directories owner.
    > That way, staff won't have access, just "admin". The problem is that
    > jobs will have to have a fixed structure to which it must be adhered to
    > maintain this security. Either create new jobs directories with a
    > script or use a blank one and duplicate it.[/ref]

    Ok. So for the "template" directory, make sure the linux group
    permissions are for "admin" on that "fee proposals" directory and
    "staff" for all others. I understand how that works for the directory
    being accessed for linux users.

    But I thought the staff directive in [Projects] may override when the
    directory is accessed through samba and allow all to see it.

    Also I was sure I'd tried something like this before, and when someone
    set up a new project by copying the "template" directory structure to
    the "projects" directory, all the permissions were lost/changed and all
    staff could access the subdirectories.
     

    I would've thought they /do/ work, I just don't know anything about them
    or how to set them up - I just know they exist... might look into it.

    Thanks.

    --
    Troy Piggins
    Where I live: 27 27 44 S 153 02 28 E
    http://earth.google.com
    Troy Guest

  4. #4

    Default Re: restricting access to subdirectory globally accessible

    In article <piggo.com>,
    Troy Piggins <com> wrote:
     
    > >
    > > You could change the group owner of the fee-proposals directory to
    > > "admin", with a specific person or account being the directories owner.
    > > That way, staff won't have access, just "admin". The problem is that
    > > jobs will have to have a fixed structure to which it must be adhered to
    > > maintain this security. Either create new jobs directories with a
    > > script or use a blank one and duplicate it.[/ref]
    >
    > Ok. So for the "template" directory, make sure the linux group
    > permissions are for "admin" on that "fee proposals" directory and
    > "staff" for all others. I understand how that works for the directory
    > being accessed for linux users.
    >
    > But I thought the staff directive in [Projects] may override when the
    > directory is accessed through samba and allow all to see it.
    >
    > Also I was sure I'd tried something like this before, and when someone
    > set up a new project by copying the "template" directory structure to
    > the "projects" directory, all the permissions were lost/changed and all
    > staff could access the subdirectories.

    >
    > I would've thought they /do/ work, I just don't know anything about them
    > or how to set them up - I just know they exist... might look into it.
    >
    > Thanks.[/ref]

    I looked up the syntax of samba.conf on www.samba.org and they discuss
    three security modes (assuming you're running Samba > V2.0). If you map
    Linux users to Windows users, then you can map the service as
    SECURITY=USER. Here, you have to maintain the list of users on the
    Linux system and I think the PDC, unless samba is also being your PDC.
    Then, I think the service created will use the Linux usernames for file
    access and that solves your problem. If you have a separate PDC and
    samba is only doing file and print services on a high level, you set
    SECURITY=SHARE and the service uses guest shares and no UNIX permissions
    are enforce (I think).

    I'm hazy as to how Samba will do this and it looks like you'll have to
    do some serious reading on it to fully understand it and get the
    behavior you want. There's this

    http://us1.samba.org/samba/docs/man/manpages-3/smb.conf.5.html

    and some books samba.org provides:

    http://www.amazon.com/gp/product/0131453556
    http://www.amazon.com/gp/product/0131472216

    Good luck. This doesn't look to be a simple configuration thing.
    You'll have to carefully think out your architecture to get it served
    properly.

    --
    DeeDee, don't press that button! DeeDee! NO! Dee...



    Michael Guest

Similar Threads

  1. Create a subdirectory and change to subdirectory
    By Jay_Shakir@adobeforums.com in forum Adobe Acrobat SDK
    Replies: 0
    Last Post: October 10th, 02:57 AM
  2. Restricting Access to CFX
    By Cory in forum Coldfusion Security
    Replies: 0
    Last Post: August 17th, 06:57 PM
  3. Restricting access
    By pastormco in forum Macromedia Dynamic HTML
    Replies: 0
    Last Post: September 14th, 10:25 PM
  4. Problem with web.config access-restricted subdirectory
    By David Pyper in forum ASP.NET Security
    Replies: 3
    Last Post: January 27th, 08:40 PM
  5. restricting number of access to cgi
    By Benjamin Goldberg in forum PERL Miscellaneous
    Replies: 0
    Last Post: July 21st, 01:44 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139