Using ACL on linux system to mimic samba’s “force user”

I'm using samba to share files across a network. I found force user and force group very usefull in a classical team working together on project.

This is the sample /etc/samba/smb.conf:

force user = %U
force group = dev-team
create mask = 0775
directory mask = 0775
force create mode = 0660
force directory mode = 0660

It ensures that any file created will receive full read, write permission for member of "dev-team" group.

But I have bunch of the user that have a direct access to these directory. And without going through samba, the policy is not enforced.

The solution is quite simple and involves linux ACL.

Install ACL

Your system should already have package acl installed. You can install it (or make sure you already have it) by typing:

apt-get install acl

Then you should edit your /etc/fstab to contain the option acl on the mounted partition you need to get. My fstab looks like:

UUID=9cd6deba-e3a6-427c-82e1-48cfaf0793b1 /shares ext4 defaults,acl 0 2

Once the /etc/fstab edited, you can remount your partition on the fly with:

mount -o remount /shares

Using ACL

I can mimick the behavior of samba's policy by simply typing:

setfacl -R -d -m u::rwx,g:dev-team:rwx,o::r-x /shares

Options are:

-R is the same than -R for chown or chmod ... it will apply to subdirectory also.
-d is switching to default permissions for newly created files.

is adding the following permission rules that are expressed as:

u::rwx same as chmod u+rwx
g:dev-team:rwx same as chgrp dev-team AND chmod g+rwx
o::r-x same as chmod o+rx

You can check ACLs of a given directory with getfacl:

$ getfacl /shares
# file: shares/assistance/
# owner: musicalta
# group: assistance
# flags: -s-

If you need more info on the topic, this blog post was of some help.