I'm using samba to share files across a network. I found force user and force group very usefull in a classical team working together on project.
This is the sample /etc/samba/smb.conf:
... force user = %U force group = dev-team create mask = 0775 directory mask = 0775 force create mode = 0660 force directory mode = 0660 ...
It ensures that any file created will receive full read, write permission for member of "dev-team" group.
But I have bunch of the user that have a direct access to these directory. And without going through samba, the policy is not enforced.
The solution is quite simple and involves linux ACL.
Install ACL
Your system should already have package acl installed. You can install it (or make sure you already have it) by typing:
apt-get install acl
Then you should edit your /etc/fstab to contain the option acl on the mounted partition you need to get. My fstab looks like:
... UUID=9cd6deba-e3a6-427c-82e1-48cfaf0793b1 /shares ext4 defaults,acl 0 2 ...
Once the /etc/fstab edited, you can remount your partition on the fly with:
mount -o remount /shares
Using ACL
I can mimick the behavior of samba's policy by simply typing:
setfacl -R -d -m u::rwx,g:dev-team:rwx,o::r-x /shares
Options are:
| -R | is the same than -R for chown or chmod ... it will apply to subdirectory also. |
| -d | is switching to default permissions for newly created files. |
| -m | is adding the following permission rules that are expressed as: u::rwx same as chmod u+rwx
g:dev-team:rwx same as chgrp dev-team AND chmod g+rwx
o::r-x same as chmod o+rx
|
You can check ACLs of a given directory with getfacl:
$ getfacl /shares # file: shares/assistance/ # owner: musicalta # group: assistance # flags: -s- user::rwx group::rwx other::r-x default:user::rwx default:group::rwx default:group:dev-team:rwx default:mask::rwx default:other::r-x
If you need more info on the topic, this blog post was of some help.
http://brunogirin.blogspot.com/2010/03/shared-folders-in-ubuntu-with-setgid.html