From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 2665C13824A for ; Sat, 7 May 2016 23:24:42 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 972A021C08F; Sat, 7 May 2016 23:24:32 +0000 (UTC) Received: from mail-wm0-f65.google.com (mail-wm0-f65.google.com [74.125.82.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 43A11E07F5 for ; Sat, 7 May 2016 23:24:31 +0000 (UTC) Received: by mail-wm0-f65.google.com with SMTP id r12so14558022wme.0 for ; Sat, 07 May 2016 16:24:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=S6feUz4zslmJSJzLpNhpBxpjg8QG1ZNz7JgxQ+2mNks=; b=OkSFwzHnP1L0Z4EI/xt8MxLRgUUZNx7eA3iHRuyhRB5KdS0uUPDTef00Yg6+YH+rWA IlLk6+2JkEXy89l+/WCJkZ1wIaU5jzGclNZR6QHn0obM9WckLH6tjH/zSkzCmBN5P6Vw 19MFh4CfSXKe4YCVVtJ/wPCpHo8YCvlLkoNzVJT2ulWhlDzBDnjTT9xac+IxHfhGx4L0 vjjWY6RA0IOxFd+fJLlcBI91WyGXjOukvtcDt0KDlQU2k50OECM/14s6E9dSBrjFFloa U8ZNd6Cpau0EuPwIC452nBKJroykpYFt+sNbtGBqii4Uz+nC7169kIWLFv4BmGjiJTMC D9ng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=S6feUz4zslmJSJzLpNhpBxpjg8QG1ZNz7JgxQ+2mNks=; b=g/sX3l3fsFWm5cRSSBWYCm1BY8fAcjlRo4YmOnjDec7dFhqh0N0MM1EvED9eBZmv5L VdNmQiTvw4YXPLnHbGD9mcKw9rE/krRaoYJcdlcnNZ0N9mn7BHbtLonInjNOZ+xU7dtz rEwYIbmql7/Z45ykjaO1Q1WRBFv+hlet3Pg4hj4dLTHLrAMi5yHaXMIJ2dBRaeFpZH7G 5MS9E4exaKHmU82aOVs0VyxZXkvcyrZEcGB9b/VjWUH6DooAg/5t6l3nTOshcGFCEmCa +ScoH2CdrMYvFoX3X+OJdt4cR+dR9YzfKMOM5j1MW2ArQXfph86Lxlv9nD5GJEKOFCjH g8TQ== X-Gm-Message-State: AOPr4FU0z8llx9LjTI2KJiEqg5aBH1hA/bhILDEsDsZ02rcdCNArYGIsXNpW1k8xGiZtsQ== X-Received: by 10.28.55.14 with SMTP id e14mr3830306wma.83.1462663469718; Sat, 07 May 2016 16:24:29 -0700 (PDT) Received: from [172.20.0.40] ([196.212.62.210]) by smtp.googlemail.com with ESMTPSA id y3sm22502537wji.40.2016.05.07.16.24.27 for (version=TLSv1/SSLv3 cipher=OTHER); Sat, 07 May 2016 16:24:28 -0700 (PDT) Subject: Re: how to share a directory tree with files in it with multiple users (Re: [gentoo-user] local shared directory) To: gentoo-user@lists.gentoo.org References: <56EAE719.2040806@gc-24.de> <56EB1AA5.9000303@gmail.com> <20160317233407.343dfb9b@digimed.co.uk> <571B6DD0.2010801@gc-24.de> <571B89E5.7060108@gc-24.de> <571B90F8.6000301@gentoo.org> <572E05FB.3000101@gc-24.de> From: Alan McKinnon Message-ID: <2bc1d7a6-5afe-c03d-8408-8bba4716318e@gmail.com> Date: Sun, 8 May 2016 01:24:12 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: <572E05FB.3000101@gc-24.de> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Archives-Salt: dcb919f0-94a0-49d6-8545-b0e639cdd5c8 X-Archives-Hash: 8407be6c0373816e99ff3c70c8745d8f On 07/05/2016 17:12, hw wrote: > Michael Orlitzky schrieb: >> On 04/23/2016 10:42 AM, hw wrote: >>> >>> Has it become entirely impossible to share a directory tree and the >>> files in it with multiple users when Linux is involved? This should be >>> a very simple thing to accomplish. >>> >> >> It was never possible. It's ridiculous, but there it is. The UNIX >> permissions model is too simple. ACLs were bolted on top, but most tools >> retain legacy behavior with respect to group masks that breaks default >> ACLs. You're seeing that same problem with your Samba share. >> >> Filesystem permissions are one thing that Windows got right. There's >> ongoing work to bring that model to Linux, >> >> https://en.wikipedia.org/wiki/Richacls >> >> but they're going to make the same mistake again[0] and allow the group >> bits to act as a mask. That means mkdir, tar, cp, 7z -- anything that >> tries to mess with group bits -- isn't going to work. They'll be DOA >> just like POSIX ACLs were. >> >> I think you can manage this with incron and POSIX ACLs. Instead of >> running "chmod g+w", use sys-apps/apply-default-acl to reset the >> permissions to the defaults that you set. >> >> I wrote apply-default-acl to solve exactly this problem. You just need >> to figure out a way to run it whenever things get screwed up. Which >> means, whenever a file or directory is created. >> >> >> [0] http://www.bestbits.at/richacl/man/richacl.7.txt >> >> Changing the file mode permission bits: >> >> When changing the file mode permission bits with chmod(1), the >> owner, group, and other file permission bits are set to the >> permission bits in the new mode... In addition, the masked and >> write_through ACL flags are set. This has the effect of limiting the >> permissions granted by the ACL to the file mode permission bits... >> >> > > Hm, I'm confused. Is it not possible to somehow force > samba to set a user and a group as owners of a file or > of a directory which is being created on a share? > > If that was possible, couldn't I mount that share with > the uid and gid of the owner and group samba enforces, > which would then allow multiple local users to access > the files and directories on that share as one? Now you've added a whole new wrinkle that was never mentioned before - samba. Yes, samba can enforce the permissions you want on file system objects in shares it controls. To be accurate, it runs as root and presents the perms you want to the user, but only when accessing the files via samba. Look at these options in smb.conf create mask = 664 force create mode = 664 security mask = 664 force security mode = 664 directory mask = 2775 force directory mode = 2775 directory security mask = 2775 force directory security mode = 2775 With this you can achieve what you want, but you have to ensure that samba is the only way the users can access the files. I'm assuming you completely and correctly understand umask. -- Alan McKinnon alan.mckinnon@gmail.com