I was playing a bit with samba, and I guess if I was able to serve files using access control list (aka ACL).
Posix ACL
While standard unix permissions allow one owner, one group and everybody – with some tweekings like directory sticky bit – new filesystems like ext3 and xfs gave us a bit control more.
They implement POSIX ACL. This is an old but widely used standard. To enable ACL we should firstly ask to the filesystem to set them up.
#mount /home -o remouont,acl,user_xattr
Then we can start playing: create a file and get its unix permission.
First of all let’s use umask to disable other user access to newly created files
# umask 077 # touch /home/rpolli/sample_acl.txt # ls -la /home/rpolli/sample_acl.txt -rw------- 1 rpolli rpolli 0 2011-10-13 17:28 /home/rpolli/sample_acl.txt
Thanks to umask nobody but the owner can access this file.
Then we get its acl with #getfacl and check that everything matches!
# getfacl /home/rpolli/sample_acl.txt getfacl: Removing leading '/' from absolute path names # file: home/rpolli/sample_acl.txt # owner: rpolli # group: rpolli user::rw- group::--- other::---
Now let’s give write permission to this file to the caldavd user, which is not in the rpolli group
#setfacl -m u:caldavd:rw /home/rpolli/sample_acl.txt #getfacl /home/rpolli/sample_acl.txt getfacl: Removing leading '/' from absolute path names # file: home/rpolli/sample_acl.txt # owner: rpolli # group: rpolli user::rw- user:caldavd:rw- group::--- mask::rw- other::---
So, to our common sense, file permissions are no more 600, as there’s somebody that can read it. Let’s look at the ls output
# ls -l /home/rpolli/sample_acl.txt -rw-rw----+ 1 rpolli rpolli 0 2011-10-13 17:35 sample_acl.txt
There’s an indicator that somebody can read it, and a “+” flag at the end of unix permissions, stating that this file uses some more security mechanism.
You can exclaim now “Very impressive, Kowalski, but…can it fly?”.
rpolli# sudo su - caldavd caldavd$ ls /home/rpolli/ ls: cannot open directory /home/rpolli/: Permission denied caldavd$ ls /home/rpolli/sample_acl.txt -la -rw-rw----+ 1 rpolli rpolli 0 2011-10-13 17:35 /home/rpolli/sample_acl.txt
and finally
caldavd$ echo pippo>/home/rpolli/sample_acl.txt caldavd$ cat /home/rpolli/sample_acl.txt pippo
Serving it with samba
To serve a directory with Samba 3 we just have to add the following stanza to the smb.conf
[share] comment = Ioggstream Samba share read only = no path = /home/share/ guest ok = no nt acl support = yes
First of all we need to share a folder. Disabling guests is optional, but to change ACL you have to authenticate: so no guests this time!
The compulsory statement is to allow “nt acl”.
Once we restart samba, we can browse our folder using a Windows Vista. Strangely enough the WindowsXP file browser doesn’t detect ACL on my server.
So open your client and go to \\192.168.0.7\ (that’s my samba ip, use yours :P) and insert your credential.
Right click on your folder and select “Security” (Protezione in Italiano) and..voilà ! You will be able to see and edit your files .permission!