Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 5 Feb 2012 11:44:04 -0600
From:      Dan Nelson <dnelson@allantgroup.com>
To:        Modulok <modulok@gmail.com>
Cc:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: setuid directories - or other option?
Message-ID:  <20120205174404.GG5775@dan.emsphone.com>
In-Reply-To: <CAN2%2BEpZY%2BxKSaN2LF1M-CCg3rjoBeN=OsT8CfhU6m--ux0X=dQ@mail.gmail.com>
References:  <CAN2%2BEpZY%2BxKSaN2LF1M-CCg3rjoBeN=OsT8CfhU6m--ux0X=dQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
In the last episode (Feb 04), Modulok said:
> I have a media project directory shared with windows users via samba. 
> Every authenticated samba user that accesses the directory is forced to
> the same FreeBSD user, 'foo', regardless.  The group also has
> write-access:
> 
>     drwxrwxr-x  47 foo        foo         2.5K Feb  4 05:42 foo/
> 
> Local shell users, however, are a problem. Ideally, I want a simliar
> behavior for them too i.e.  Any files they create in the directory are
> also owned by the user 'foo'.  How do I do that?  (See below about
> setuid.)
> 
> I wouldn't even care who owns the files, so long as file permission bits
> in this directory defaulted to 664 so every member of the group 'foo'
> could edit them.  Can I do this without changing every user's default
> umask?  (I want to avoid that.) Is there some kind of 'umask for this
> directory is blah' feature?
> 
> I looked at setuid bit on directories. Sounds perfect! BUT I'll be moving
> to ZFS soon and from what I gather, it won't work there.  I guess I could
> have a cron job run every minute and change offending permission bits, but
> that feels hacky.

I think you mean the setgid bit (so that all files in the subdirectory will
have group="foo"), and that should work on ZFS as well.  Another option
might be to use ACLs to grant access to the "foo" group outside of the
standard unix mode system:

    setfacl -m group:foo:rwx:df:allow /path

That will grant the "foo" group read/write/execute access on all files under
"/path" , regardless of the regular owner/group/umask settings.  Also, make
sure that the zfs aclmode and aclinherit properities on the filessytem are
set to something other than "discard".

-- 
	Dan Nelson
	dnelson@allantgroup.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120205174404.GG5775>