At 2004-10-03T07:33:04+1300, Robert Fisher wrote:
> The purpose of this shared folder is to have a very open place for all
> people on our home network, including Windows users who could be
> casual, to store and use files.
> Important stuff is backed up to another drive using a cron job.
> Private stuff goes in home directories.
>
> So now you see what it is for, do you think I still should change
> things?
Well, if you're not concerned about security, then what you have is
simple and will mostly work.
To do it properly, the minimum I would suggest would be:
1. Set up a new group for share access.
2. Alter permissions and ownership on the share directory to allow
read/write access to the directory for members of the share group.
3. Set the setgid bit on the share directory to ensure any files or
directories created in the directory inherit the share group.
4. Teach users who are using the share about umask.
The main problem you're likely to run into with this type of share is
that some users may have a particularly restrictive umask set, which
will result in files in the share ending up with permissions that stop
other users from writing to the files.
# existing directory, to be made into a share
[EMAIL PROTECTED]:/tmp/demo(0)$ ls -ld share
drwxr-xr-x 10 elgrego elgrego 360 2004-10-04 10:48 share
[EMAIL PROTECTED]:/tmp/demo(0)$ ls -l share
drwxr-xr-x 2 elgrego elgrego 40 2004-10-04 10:48 a
-rw-r--r-- 1 elgrego elgrego 0 2004-10-04 10:48 a1
# open the permissions right up
[EMAIL PROTECTED]:/tmp/demo(0)$ chmod -R 777 share
[EMAIL PROTECTED]:/tmp/demo(0)$ ls -ld share
drwxrwxrwx 10 elgrego elgrego 360 2004-10-04 10:48 share
[EMAIL PROTECTED]:/tmp/demo(0)$ ls -l share
drwxrwxrwx 2 elgrego elgrego 40 2004-10-04 10:48 a
-rwxrwxrwx 1 elgrego elgrego 0 2004-10-04 10:48 a1
# along comes bob
[EMAIL PROTECTED]:/tmp/demo(0)$ ls -ld share
drwxr-xr-x 10 elgrego elgrego 360 2004-10-04 10:48 share
[EMAIL PROTECTED]:/tmp/demo(0)$ ls -l share
drwxr-xr-x 2 elgrego elgrego 40 2004-10-04 10:48 a
-rw-r--r-- 1 elgrego elgrego 0 2004-10-04 10:48 a1
drwxrwxrwx 2 elgrego elgrego 40 Oct 4 10:48 a
-rwxrwxrwx 1 elgrego elgrego 0 Oct 4 10:48 a1
# bob is security concious, note restrictive umask
[EMAIL PROTECTED]:/tmp/demo/share$ umask
0027
# bob (as part of 'other') has write access to the share
[EMAIL PROTECTED]:/tmp/demo/share$ mkdir mine
[EMAIL PROTECTED]:/tmp/demo/share$ touch afile
[EMAIL PROTECTED]:/tmp/demo/share$ ls -l
drwxrwxrwx 2 elgrego elgrego 40 Oct 4 10:48 a
-rwxrwxrwx 1 elgrego elgrego 0 Oct 4 10:48 a1
-rw-r----- 1 bob bob 0 Oct 4 10:51 afile
drwxr-x--- 2 bob bob 60 Oct 4 10:51 mine
As shown above, the share now has bob's files in it which are not
readable or writable by anyone but bob. By setting up a 'share' group
and setting the setgid bit on the share directory, the new files created
by bob would be inherit the group setting on the directory, and would
therefore be set to 'share'. In this scenario, this would be enough to
allow others at least read access to bob's files, but if bob had an even
more restrictive umask, the files may end up being set to 0700.
Cheers,
-mjg
--
Matthew Gregan |/
/| [EMAIL PROTECTED]
