From owner-freebsd-questions@FreeBSD.ORG Sun Jun 13 16:31:21 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 72D1E1065675 for ; Sun, 13 Jun 2010 16:31:21 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx02.qsc.de (mx02.qsc.de [213.148.130.14]) by mx1.freebsd.org (Postfix) with ESMTP id 350958FC08 for ; Sun, 13 Jun 2010 16:31:20 +0000 (UTC) Received: from r55.edvax.de (port-92-195-117-232.dynamic.qsc.de [92.195.117.232]) by mx02.qsc.de (Postfix) with ESMTP id 69A561E250; Sun, 13 Jun 2010 18:31:19 +0200 (CEST) Received: from r55.edvax.de (localhost [127.0.0.1]) by r55.edvax.de (8.14.2/8.14.2) with SMTP id o5DGVIQH002268; Sun, 13 Jun 2010 18:31:18 +0200 (CEST) (envelope-from freebsd@edvax.de) Date: Sun, 13 Jun 2010 18:31:18 +0200 From: Polytropon To: Bob Hall Message-Id: <20100613183118.c5daa042.freebsd@edvax.de> In-Reply-To: <20100613041500.GA71284@stainmore> References: <20100613041500.GA71284@stainmore> Organization: EDVAX X-Mailer: Sylpheed 2.4.7 (GTK+ 2.12.1; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Directory Passwords X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Polytropon List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jun 2010 16:31:21 -0000 On Sun, 13 Jun 2010 00:15:00 -0400, Bob Hall wrote: > On Sat, Jun 12, 2010 at 02:52:59PM -0400, Mike Robins wrote: > > Hi there, I currently am running a FreeBSD/Samba server for my company > > with public shares for all of the employees to keep their work related > > documents in. I'm wondering if it is possible for me to keep these shares > > public and add a password to each sub directory in the public share? This > > would mean I could give each department a sub directory that only they > > would know the password to and keep the sensitive documents away from > > public view. > > Any password known to a group of people quickly becomes public > knowledge. If you really need to restrict access to a share, this won't > do it securely. There may be another way to implement this functionality - not by passwords, but by group permissions. Create the different share directories as needed and give them the following settings: owner = project leader, group = project group. Then add the users belonging to the project group to that group, so they will be able to access the share. Other groups and people won't have access (u=rw,g=rw,o=nothing). If a user is delegated to another group, remove him from the project group, and add him to his new group. In this way, it's enough for a user to know his own password. > I'm pretty sure you can integrate Samba into such a system, but > how to do it is a Samba related question, not a FreeBSD question. It can easily be done using UFS's user:group and permission system. I'm not sure in how far it can be manipulated by a "Windows" client, but finally, there could be an SSH access with proper rights for a responsible person to take care of the settings. A dialog based wrapper around pw calls could also be implemented very fast. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...