Archivi tag: cifs

Serving ACL on Samba

Posted on by

I was playing a bit with samba, and I guess if I was able to serve files using access control list (aka ACL).

Posix ACL

While standard unix permissions allow one owner, one group and everybody – with some tweekings like directory sticky bit – new filesystems like ext3 and xfs gave us a bit control more.

They implement POSIX ACL. This is an old but widely used standard. To enable ACL we should firstly ask to the filesystem to set them up.

#mount /home -o remouont,acl,user_xattr

Then we can start playing: create a file and get its unix permission.
First of all let’s use umask to disable other user access to newly created files

# umask 077
# touch  /home/rpolli/sample_acl.txt
# ls -la  /home/rpolli/sample_acl.txt
 -rw------- 1 rpolli rpolli 0 2011-10-13 17:28 /home/rpolli/sample_acl.txt

Thanks to umask nobody but the owner can access this file.
Then we get its acl with #getfacl and check that everything matches!

# getfacl  /home/rpolli/sample_acl.txt
getfacl: Removing leading '/' from absolute path names
# file:  home/rpolli/sample_acl.txt
# owner: rpolli
# group: rpolli
user::rw-
group::---
other::---

Now let’s give write permission to this file to the caldavd user, which is not in the rpolli group

#setfacl -m u:caldavd:rw /home/rpolli/sample_acl.txt
#getfacl /home/rpolli/sample_acl.txt
getfacl: Removing leading '/' from absolute path names
# file: home/rpolli/sample_acl.txt
# owner: rpolli
# group: rpolli
user::rw-
user:caldavd:rw-
group::---
mask::rw-
other::---

So, to our common sense, file permissions are no more 600, as there’s somebody that can read it. Let’s look at the ls output

# ls -l /home/rpolli/sample_acl.txt
-rw-rw----+ 1 rpolli rpolli 0 2011-10-13 17:35 sample_acl.txt

There’s an indicator that somebody can read it, and a “+” flag at the end of unix permissions, stating that this file uses some more security mechanism.

You can exclaim now “Very impressive, Kowalski, but…can it fly?”.

rpolli# sudo su - caldavd
caldavd$ ls /home/rpolli/
ls: cannot open directory /home/rpolli/: Permission denied
caldavd$ ls /home/rpolli/sample_acl.txt -la
-rw-rw----+ 1 rpolli rpolli 0 2011-10-13 17:35 /home/rpolli/sample_acl.txt

and finally

caldavd$ echo pippo>/home/rpolli/sample_acl.txt
caldavd$ cat /home/rpolli/sample_acl.txt
pippo

Serving it with samba

To serve a directory with Samba 3 we just have to add the following stanza to the smb.conf

[share]
   comment = Ioggstream Samba share
   read only = no
   path = /home/share/
   guest ok = no
   nt acl support = yes

First of all we need to share a folder. Disabling guests is optional, but to change ACL you have to authenticate: so no guests this time!
The compulsory statement is to allow “nt acl”.

Once we restart samba, we can browse our folder using a Windows Vista. Strangely enough the WindowsXP file browser doesn’t detect ACL on my server.

So open your client and go to \\192.168.0.7\ (that’s my samba ip, use yours :P) and insert your credential.
Right click on your folder and select “Security” (Protezione in Italiano) and..voilà! You will be able to see and edit your files .permission!