home-dir for everyone

[bsus]

Hi,

To share files between users I have an extra home-dir called temp (/usr/home/temp) the owner is nobody:nobody and I have easy access over Samba. New files are also editable, readable, deletable by everyone.

Just over unix I got an issue.

When I create a new file into the temp-dir it's not editable for everyone. Where can I change the permissions which new files get for this dir? Where's the user_profile and what do I have to add?

Regards

 

[peetaur]

What is your samba config for the share?

 

[bsus]

Samba is not the problem. Samba uses the right owner and the right rights

When I create files with an other account over NFS, then the file is owned by me and has the wrong permissions (see unknown_dir and new). The other files are created over samba and act fine.

drwxr-xr-x  2 <user>    nobody         2 Nov 14 07:12 unknown_dir
-rw-r--r--  1 bodo    nobody         0 Nov 14 07:14 new
-rwxrw-rw-  1 nobody  nobody   2673245 Nov 13 20:52 scan.pdf
-rwxrw-rw-  1 nobody  nobody  20701215 Nov 13 20:58 scan0002.pdf
-rwxrw-rw-  1 nobody  nobody   1596997 Nov 13 21:01 scan0003.pdf
-rwxrw-rw-  1 nobody  nobody    451530 Nov 13 21:06 scan0004.pdf
-rwxrw-rw-  1 nobody  nobody    451929 Nov 13 21:08 scan0005.pdf
-rwxrw-rw-  1 nobody  nobody   8585617 Nov 13 21:12 scan0006.pdf

I am now searching after an options like sambas create mode just for nfs. So when other users create something in the public dir it automatically gets the 'open' rights.

 

[SirDice]

Make the directory SetUID or SetGUID.

 

[bsus]

I think I wrote too bad.
I want to copy from /home/<user> a file into /home/temp.
In /home/temp the copied user file should have permissions to be editable for everyone not the original permission of the <user>

Regards

setuid

chmod 4777 nobody:nobody /usr/home/temp
freebsd temp # ls -l
total 43763
-rw-r--r--  1 <user>  <user>        7100 Nov 14 08:42 BWA 2010.pdf
-rw-r--r--  1 <user>  <user>        7160 Nov 14 08:45 BWA 2011.pdf
-rwxrw-rw-  1 nobody  nobody   1141111 Oct 22 11:58 Dezember 2011.docx
-rwxrw-rw-  1 nobody  nobody     27854 Oct 22 12:30 November 2011.docx
-rwxrw-rw-  1 nobody  nobody   2673245 Nov 13 20:52 scan.pdf
-rwxrw-rw-  1 nobody  nobody  20701215 Nov 13 20:58 scan0002.pdf
-rwxrw-rw-  1 nobody  nobody   1596997 Nov 13 21:01 scan0003.pdf
-rwxrw-rw-  1 nobody  nobody    451530 Nov 13 21:06 scan0004.pdf
-rwxrw-rw-  1 nobody  nobody    451929 Nov 13 21:08 scan0005.pdf
-rwxrw-rw-  1 nobody  nobody   8585617 Nov 13 21:12 scan0006.pdf
-rwxrw-rw-  1 nobody  nobody   8585672 Nov 13 21:15 scan0007.pdf

sticky

freebsd temp # chmod 1777 /usr/home/temp
freebsd temp # ls -l
total 43762
-rwxrw-rw-  1 nobody  nobody   1141111 Oct 22 11:58 Dezember 2011.docx
-rwxrw-rw-  1 nobody  nobody     27854 Oct 22 12:30 November 2011.docx
-rwxrw-rw-  1 nobody  nobody   2673245 Nov 13 20:52 scan.pdf
-rwxrw-rw-  1 nobody  nobody  20701215 Nov 13 20:58 scan0002.pdf
-rwxrw-rw-  1 nobody  nobody   1596997 Nov 13 21:01 scan0003.pdf
-rwxrw-rw-  1 nobody  nobody    451530 Nov 13 21:06 scan0004.pdf
-rwxrw-rw-  1 nobody  nobody    451929 Nov 13 21:08 scan0005.pdf
-rwxrw-rw-  1 nobody  nobody   8585617 Nov 13 21:12 scan0006.pdf
-rwxrw-rw-  1 nobody  nobody   8585672 Nov 13 21:15 scan0007.pdf
freebsd temp # ls -l
total 43763
-rw-r--r--  1 <user>  <user>      7100 Nov 14 08:42 BWA 2010.pdf
-rw-r--r--  1 <user>  <user>        7160 Nov 14 08:45 BWA 2011.pdf
-rwxrw-rw-  1 nobody  nobody   1141111 Oct 22 11:58 Dezember 2011.docx
-rwxrw-rw-  1 nobody  nobody     27854 Oct 22 12:30 November 2011.docx
-rwxrw-rw-  1 nobody  nobody   2673245 Nov 13 20:52 scan.pdf
-rwxrw-rw-  1 nobody  nobody  20701215 Nov 13 20:58 scan0002.pdf
-rwxrw-rw-  1 nobody  nobody   1596997 Nov 13 21:01 scan0003.pdf
-rwxrw-rw-  1 nobody  nobody    451530 Nov 13 21:06 scan0004.pdf
-rwxrw-rw-  1 nobody  nobody    451929 Nov 13 21:08 scan0005.pdf
-rwxrw-rw-  1 nobody  nobody   8585617 Nov 13 21:12 scan0006.pdf
-rwxrw-rw-  1 nobody  nobody   8585672 Nov 13 21:15 scan0007.pdf

setgid

freebsd temp # chmod 2777 /usr/home/temp
freebsd temp # ls -l
total 43762
-rwxrw-rw-  1 nobody  nobody   1141111 Oct 22 11:58 Dezember 2011.docx
-rwxrw-rw-  1 nobody  nobody     27854 Oct 22 12:30 November 2011.docx
-rwxrw-rw-  1 nobody  nobody   2673245 Nov 13 20:52 scan.pdf
-rwxrw-rw-  1 nobody  nobody  20701215 Nov 13 20:58 scan0002.pdf
-rwxrw-rw-  1 nobody  nobody   1596997 Nov 13 21:01 scan0003.pdf
-rwxrw-rw-  1 nobody  nobody    451530 Nov 13 21:06 scan0004.pdf
-rwxrw-rw-  1 nobody  nobody    451929 Nov 13 21:08 scan0005.pdf
-rwxrw-rw-  1 nobody  nobody   8585617 Nov 13 21:12 scan0006.pdf
-rwxrw-rw-  1 nobody  nobody   8585672 Nov 13 21:15 scan0007.pdf
freebsd temp # ls -l
total 43763
-rw-r--r--  1 <user>  <user>      7100 Nov 14 08:42 BWA 2010.pdf
-rw-r--r--  1 <user>  <user>      7160 Nov 14 08:45 BWA 2011.pdf
-rwxrw-rw-  1 nobody  nobody   1141111 Oct 22 11:58 Dezember 2011.docx
-rwxrw-rw-  1 nobody  nobody     27854 Oct 22 12:30 November 2011.docx
-rwxrw-rw-  1 nobody  nobody   2673245 Nov 13 20:52 scan.pdf
-rwxrw-rw-  1 nobody  nobody  20701215 Nov 13 20:58 scan0002.pdf
-rwxrw-rw-  1 nobody  nobody   1596997 Nov 13 21:01 scan0003.pdf
-rwxrw-rw-  1 nobody  nobody    451530 Nov 13 21:06 scan0004.pdf
-rwxrw-rw-  1 nobody  nobody    451929 Nov 13 21:08 scan0005.pdf
-rwxrw-rw-  1 nobody  nobody   8585617 Nov 13 21:12 scan0006.pdf
-rwxrw-rw-  1 nobody  nobody   8585672 Nov 13 21:15 scan0007.pdf

 

[SirDice]

Setting the SUID or GUID only works for new files, not existing ones.

 

[bsus]

As you can see on the timestamp the files are always cut out after changing something at the permissions.

So there where always written new or did you mean something else?

 

[fluca1978]

Permissions with setguid or setuid works only for new entries in the directory, where new means a new entry in the directory, not a changed or modified file.

 

[SirDice]

Permissions with setguid or setuid works only for new entries in the directory, where new means a new entry in the directory, not a changed or modified file.

Exactly. Also keep in mind that moving a file on the same filesystem will never change it's permissions.

 

[bsus]

Ok, so I have to add [cmd=]chmod -R 777 /usr/home/temp[/cmd] to /etc/crontab to have it I want to?

There is no "smarter" solution?

Regards

 

[phoenix]

Change the UMASK setting for all users such that files they create are marked 777.

Then change the permissions on their home directories to 770 (so that "other" users can't access them).

 

[peetaur]

I am fairly sure you can do it with smb.conf. I created such a thing in the past, on a SuSE Linux machine, without using setgid/setuid. I say "fairly sure" because I didn't test it thoroughly... just used it and had no complaints, and it was over 10 years ago.

Unlike using setuid, the new directories created also have the same effect. With setuid, those directories would also need to be setgid/setuid manually after they are created. I don't remember what options to use though... I scanned through the list (in man smb.conf) and here are my suggestions of what to try:

Most likely some of these:

create mask = 777
security mask = 777
directory mask = 777
directory security mask = 777
# yes means inherit from the directory rather than the user
inherit owner = yes
force user = nobody
force group = nobody

maybe also:

force create mode = 0777
force directory mode = 4777
force directory security mode = 4777
force security mode = 777

or maybe something slightly extreme/insane like:

dos filemode = yes
fstype = FAT (default is NTFS)

And currently, I have no dire need for something magically perfect like what I had before. The most similar thing I have now (originally on Linux samba sharing ext3, now Linux samba sharing the FreeBSD NFS zfs share) was set up like this:

[sharename]
        path = /path/to/dir
        writeable = yes
        browseable = Yes
        writeable = yes
        create mask = 0664
        directory mask = 0775
        # Hide the .zfs directory so people can't view snapshots, which hangs ZFS on the NFS server (severe bug for which I haven't submitted a PR yet)
        # Also, I bind-mounted /var/empty on top of the .zfs directory to hide it from local users
        veto files = /.zfs/

and run once:
# chgrp -R bc /share/root/dir

The effect is that people can rename, move, and delete files that others created. I suppose it works because "bc" is the primary group for all users, not just simply added to supplimentary groups for all.

My simple thing I have now would fail if someone purposely changed permissions or ownership on a file, but nobody seems to do that.

 

[bsus]

Good idea!

I will look after a better solution even there is now big chance there will be one.

Wouldn't your solution permit another user to [cmd=]rm /home/<user>/file[/cmd]?
Or is this really safe?

Regards

 

[phoenix]

No, because the "other" set of permissions would be set to 000 (aka rwxr-x---) on /home/<user>/, which means they would not have access to anything under /home/<user>/. Doesn't matter if they can read/write the files under that directory ... if they can't get into the directory.