[NTLUG:Discuss] Samba, ACL - permissions
Chris Cox
cjcox at acm.org
Wed Jun 6 10:02:56 CDT 2007
Greg Edwards wrote:
> Jerome Haltom wrote:
>> Urm, how can a group belong to a group again? =)
>>
>> Unless you have some pam module I am not aware of.
>>
>> On Tue, 2007-06-05 at 17:11 -0500, Greg Edwards wrote:
>>
>
> The /etc/group file lists users and groups. The mistaken assumption is
> usually made that the list is user names only.
>
Actually, no. However the /etc/group file does allow a user
to belong to multiple groups. Your primary gid comes from
/etc/passwd, for example:
ccox:x:1000:100:Chris Cox:/localhome/ccox:/bin/bash
However, inside of /etc/group (where we would find gid 100
from the above), we can have other groups that ccox is
a part of, for example /etc/group might contain:
users:x:100:
sysadmin:x:6000:ccox
Notice that the users (100) group DOES NOT show that
ccox has that group id from /etc/passwd. So you DO have
to look at /etc/passwd for primary group membership AND
/etc/group for that group name AND for any other groups
that user might belong to. If I'm logged in as ccox
and issue an id command, I'll see my primary group and
the other groups I belong to.
$ id
uid=1000(ccox) gid=100(users) groups=6000(sysadmin)
If I open up the directory mask and create mask bits
for my share in samba, then directories ccox creates
(e.g. newdir) will look like:
drwxrwxr-x 2 ccox users 4096 2007-06-06 9:57 /samba-share/newdir
This means that anyone who is a part of the "users" group can
create files inside of newdir. Like wise any file I create
on my samba-share will have permissions rw-rw-r-- by default...
again, giving anyone of the group "users" the right to edit
the file. Directory permissions however are what control
security. Because even if I couldn't read/write a new
file inside of "newdir", the fact that I have write permissions
on "newdir" means that I can delete any file contained there.
If you want to prevent that behavior you can set the stick bit
on the directory and THEN you would have to own anything inside
of "newdir" in order to be able to remove it (/tmp is often
setup this way nowadays).
More information about the Discuss
mailing list