From owner-freebsd-questions@FreeBSD.ORG Thu Mar 11 11:04:37 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7808B1065674 for ; Thu, 11 Mar 2010 11:04:37 +0000 (UTC) (envelope-from listone@deathbeforedecaf.net) Received: from mail-pw0-f54.google.com (mail-pw0-f54.google.com [209.85.160.54]) by mx1.freebsd.org (Postfix) with ESMTP id 5293E8FC17 for ; Thu, 11 Mar 2010 11:04:37 +0000 (UTC) Received: by pwj4 with SMTP id 4so147346pwj.13 for ; Thu, 11 Mar 2010 03:04:36 -0800 (PST) Received: by 10.114.6.30 with SMTP id 30mr1281316waf.143.1268305476713; Thu, 11 Mar 2010 03:04:36 -0800 (PST) Received: from [10.10.10.10] (0x7e.net [203.122.226.101]) by mx.google.com with ESMTPS id 21sm8722064pzk.12.2010.03.11.03.04.33 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 11 Mar 2010 03:04:35 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1077) Content-Type: text/plain; charset=us-ascii From: Rob In-Reply-To: <13562_1268093048_4B959078_13562_1012_1_70C0964126D66F458E688618E1CD008A08CCF714@WADPEXV0.waddell.com> Date: Thu, 11 Mar 2010 21:34:28 +1030 Content-Transfer-Encoding: quoted-printable Message-Id: References: <70C0964126D66F458E688618E1CD008A08CCF702@WADPEXV0.waddell.com> <70C0964126D66F458E688618E1CD008A08CCF712@WADPEXV0.waddell.com> <70C0964126D66F458E688618E1CD008A08CCF713@WADPEXV0.waddell.com> <13562_1268093048_4B959078_13562_1012_1_70C0964126D66F458E688618E1CD008A08CCF714@WADPEXV0.waddell.com> To: Gary Gatten X-Mailer: Apple Mail (2.1077) Cc: freebsd-questions@freebsd.org Subject: Re: ACLs, umask and shared directories X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Mar 2010 11:04:37 -0000 Hi Gary, Directory group inheritance is the default in FreeBSD - see open(2): When a new file is created it is given the group of the=20 directory which contains it. In SysV, this behaviour is controlled by the setgid bit. So the file has the correct group, but it's not writeable by other users unless it has g+w permissions. The way to guarantee this is to set everyone's umask to 002 - but then they can write each other's files anywhere else in the filesystem, because they're all in the same primary group. I just can't see a tidy solution. Thanks Rob. On 09/03/2010, at 10:34 AM, Gary Gatten wrote: >=20 > chmod g+s "ParentDirectory" >=20 > Files created in the dir now have the group of the dir. >=20 > Not sure if this will help or not, as it appears the new files do not > inherit the perms of the group, the umask still over-rides so.... >=20 > What about a secondary group + SGID + umask 002? The users that need = to > edit each others files in this directory are in a secondary group > (ShareMe). This same group owns the parent directory and the SGID bit > is set. This should allow you to set the umask to 002 correct? = Maybe? >=20 > So: >=20 > www1 primary group =3D domain_users;=20 >=20 > www1$ pwd > /WorkgroupXShare >=20 > drwxrws--- 4 root ShareMe 0 Mar 8 03:11 . > www1$ touch file1 > drwxrws--- 4 www1 ShareMe 0 Mar 8 03:11 file1 >=20 > umask of 002 should give files 664 (I'd change umask to 004, group > "ShareMe" should get rw perms, right? >=20 > I think this will work? >=20 > G >=20 >=20 > -----Original Message----- > From: Gary Gatten=20 > Sent: Monday, March 08, 2010 4:49 PM > To: 'listone@deathbeforedecaf.net' > Subject: RE: ACLs, umask and shared directories >=20 > This may also work: >=20 > SGID (set group ID) on a directory: in this special case every file > created in the directory will have the same group owner as the = directory > itself (while normal behavior would be that new files are owned by the > users who create them). This way, users don't need to worry about file > ownership when sharing directories: >=20 > G >=20 >=20 > -----Original Message----- > From: Gary Gatten=20 > Sent: Monday, March 08, 2010 4:13 PM > To: Gary Gatten; 'listone@deathbeforedecaf.net' > Subject: RE: ACLs, umask and shared directories >=20 > What about sticky bit on the parent directory - in combination with > appropriate owner and group perms. I used sticky in my ftpd solution, > HOWEVER, this was on SCO Unix and sticky may have different behavior = on > FBSD. Worth a look though! >=20 > G >=20 >=20 > -----Original Message----- > From: Gary Gatten=20 > Sent: Monday, March 08, 2010 8:25 AM > To: 'listone@deathbeforedecaf.net' > Subject: Re: ACLs, umask and shared directories >=20 > I ran into a similar issue long ago with an ftp folder and "shared" > files. If I recall umask solved my issue for me but understand it > doesn't solve yours. >=20 > If nothing else, could you write a shell script that "monitors" the > directory/directories for writes and then sets the perms as needed? >=20 > ----- Original Message ----- > From: owner-freebsd-questions@freebsd.org > > To: freebsd-questions@freebsd.org > Sent: Mon Mar 08 06:41:03 2010 > Subject: ACLs, umask and shared directories >=20 > Hi Folks, >=20 > I need to give a group of users write access to a shared directory. = The > problem is, when one user creates a file, >=20 > www1$ touch file1 > www1$ ll > total 8 > drwxrwxr-x 2 root domain_users 512 Mar 8 03:11 . > drwxr-xr-x 4 root wheel 512 Mar 8 03:10 .. > -rw-r--r-- 1 www1 domain_users 0 Mar 8 03:11 file1 >=20 > other users can't edit it. >=20 > Solution 1 > ---------- >=20 > Change everyone's umask to 002. Unfortunately, these users are defined > in Active Directory and they're all in the same primary group - 002 is > not secure in this scenario. >=20 > Solution 2 > ---------- >=20 > Set a default ACL on the parent directory,=20 >=20 > www1$ getfacl -d . > # file: . > # owner: root > # group: domain_users > user::rwx > group::rwx > mask::rwx > other::r-x >=20 > but it doesn't have the desired effect, >=20 > www1$ touch file1 > www1$ getfacl file1 > # file: file1 > # owner: www1 > # group: domain_users > user::rw- > group::rwx # effective: r-- > mask::r-- > other::r-- >=20 > as the umask seems to override it - this was confirmed by Robert > Watson[1] in 2005. >=20 > So does anyone have a better idea? >=20 > Thanks > Rob. >=20 > [1] > http://lists.freebsd.org/pipermail/freebsd-fs/2005-October/001382.html > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" >=20 >=20 >=20 >=20 >=20 > >
>
> "This email is intended to be reviewed by only the intended recipient > and may contain information that is privileged and/or confidential. > If you are not the intended recipient, you are hereby notified that > any review, use, dissemination, disclosure or copying of this email > and its attachments, if any, is strictly prohibited. If you have > received this email in error, please immediately notify the sender by > return email and delete this email from your system." >
>=20