I was playing a bit with samba, and I guess if I was able to serve files using access control list (aka ACL).
Posix ACL
While standard unix permissions allow one owner, one group and everybody – with some tweekings like directory sticky bit – new filesystems like ext3 and xfs gave us a bit control more.
They implement POSIX ACL. This is an old but widely used standard. To enable ACL we should firstly ask to the filesystem to set them up.
#mount /home -o remouont,acl,user_xattr
Then we can start playing: create a file and get its unix permission.
First of all let’s use umask to disable other user access to newly created files
# umask 077
# touch /home/rpolli/sample_acl.txt
# ls -la /home/rpolli/sample_acl.txt
-rw------- 1 rpolli rpolli 0 2011-10-13 17:28 /home/rpolli/sample_acl.txt
Thanks to umask nobody but the owner can access this file.
Then we get its acl with #getfacl and check that everything matches!
# getfacl /home/rpolli/sample_acl.txt
getfacl: Removing leading '/' from absolute path names
# file: home/rpolli/sample_acl.txt
# owner: rpolli
# group: rpolli
user::rw-
group::---
other::---
Now let’s give write permission to this file to the caldavd user, which is not in the rpolli group
#setfacl -m u:caldavd:rw /home/rpolli/sample_acl.txt
#getfacl /home/rpolli/sample_acl.txt
getfacl: Removing leading '/' from absolute path names
# file: home/rpolli/sample_acl.txt
# owner: rpolli
# group: rpolli
user::rw-
user:caldavd:rw-
group::---
mask::rw-
other::---
So, to our common sense, file permissions are no more 600, as there’s somebody that can read it. Let’s look at the ls output
# ls -l /home/rpolli/sample_acl.txt
-rw-rw----+ 1 rpolli rpolli 0 2011-10-13 17:35 sample_acl.txt
There’s an indicator that somebody can read it, and a “+” flag at the end of unix permissions, stating that this file uses some more security mechanism.
You can exclaim now “Very impressive, Kowalski, but…can it fly?”.
rpolli# sudo su - caldavd
caldavd$ ls /home/rpolli/
ls: cannot open directory /home/rpolli/: Permission denied
caldavd$ ls /home/rpolli/sample_acl.txt -la
-rw-rw----+ 1 rpolli rpolli 0 2011-10-13 17:35 /home/rpolli/sample_acl.txt
and finally
caldavd$ echo pippo>/home/rpolli/sample_acl.txt
caldavd$ cat /home/rpolli/sample_acl.txt
pippo
Serving it with samba
To serve a directory with Samba 3 we just have to add the following stanza to the smb.conf
[share]
comment = Ioggstream Samba share
read only = no
path = /home/share/
guest ok = no
nt acl support = yes
First of all we need to share a folder. Disabling guests is optional, but to change ACL you have to authenticate: so no guests this time!
The compulsory statement is to allow “nt acl”.
Once we restart samba, we can browse our folder using a Windows Vista. Strangely enough the WindowsXP file browser doesn’t detect ACL on my server.
So open your client and go to \\192.168.0.7\ (that’s my samba ip, use yours :P) and insert your credential.
Right click on your folder and select “Security” (Protezione in Italiano) and..voilà ! You will be able to see and edit your files .permission!