2

how do I create a truly shared folder on a Linux server? I want for the members of a project team to be able to read and write every file as if they were their own, regardless of whether they copied or moved the file into the folder, created it themself inside folder or if the file was created by others.

So far I ran in into the following problems:

  • umask only works at a system-wide level and ignores existing files
  • ACLs ignore files moved into the folder by the user
  • inotify seems like a hack because it fixes the permissions afterwards, which may cause problems with some office documents
  • regularly chgrp -R projectteam /folder/ causes problems with performance, delays and backups.

My current solution is a SAMBA share mounted on the same server with force user and force group enabled. This is however cumbersome to administer for multiple project groups and I think I am taking a performance hit.

Any help or idea would be much appreciated. I run Debian 10.

Kind regards from Hamburg, Germany

Michael

Michael
  • 21
  • 3

2 Answers2

0

If all project users have a common project group assigned, you can set the setgid bit on your project directory (as well its sub directories):

find /path/to/teamfolder -type d -exec chmod g+s '{}' \;

Also set ACL permissions on the project directory something like:

setfacl -d -m u::rwx,g::rwx,o::r-x /path/to/teamfolder

When the setgid bit is set on a directory, all files created within that directory will inherit the group ownership of that directory. ACL permissions will allow created files inside project directory to have write permissions for the group.

A new user can be added as:

sudo usermod -a -G projgrp newuser

Hope this helps.

Abhishek Nair
  • 101
  • 3
  • But this doesn't work for files copied into the folder, right? – Michael Jul 31 '19 at 04:50
  • @Michael Yes, not that I know of. There are some workarounds possible as suggested here: https://serverfault.com/questions/831992/how-can-a-file-moved-to-a-directory-with-gid-bit-set-inherit-the-group-ownership – Abhishek Nair Jul 31 '19 at 13:17
  • The proposed solutions center around inotify or umask. The idea of using incrontab is however interesting because of its simplicity. Thank you very much! – Michael Jul 31 '19 at 21:11
  • You're welcome @Michael – Abhishek Nair Jul 31 '19 at 21:16
0

You have several layers of configuration to line up, and it can be done to make administration quite simple.

As Abhishek suggested, setting the setgid bit for a directory is quite helpful because it makes the directory's group ownership inheritable by default for newly created files and directories.

Copied files retain their ownership, however, as you have observed. For re-setting group ownership, the incrontab approach is good. A more modern approach would use a systemd .path file to monitor for modifications and a corresponding .service file to run chgrp.

To address your question about configuring to support many project groups, consider the following:

First, remember that Samba only provides authentication and depends on file system permissions and host user accounts.

Set umask to 0002, which allows group write permissions by default.

Create a host account for each user:

sudo useradd andreas
sudo useradd beatrix
sudo useradd ciela

Create a data "super-user" distinct from root for administrative purposes:

sudo useradd oberst

Create a group for each project:

sudo groupadd hund
sudo groupadd katz

Create a data directory for each project, set permissions (including the setguid bit) and ownership. The following set the setgid bit (2), give full permissions (7) to the super-user oberst and the specified group, and give no permissions to others (0), so non-group members can't read, write, or execute:

sudo mkdir /srv/hund
sudo chown oberst:hund /srv/hund
sudo chmod 2770 /srv/hund
sudo mkdir /srv/katz
sudo chown oberst:katz /srv/katz
sudo chmod 2770 /srv/katz

Add users to groups:

sudo usermod -a -G hund andreas
sudo usermod -a -G hund beatrix
sudo usermod -a -G katz beatrix
sudo usermod -a -G katz ciela

Add users to Samba:

sudo smbpasswd -a andreas
sudo smbpasswd -e andreas
sudo smbpasswd -a beatrix
sudo smbpasswd -e beatrix
sudo smbpasswd -a ciela
sudo smbpasswd -e ciela

Edit smb.conf to create shares. Read-only=no allows write access and browsable=no prevents others (i.e., non-group members) from browsing the share. Note the "@" prefix in the valid users directive, which defines access by reference to host groups:

[hund]
    path=/srv/hund
    read only=no
    browsable=no
    force group=hund
    valid users=@hund

[katz]
    path=/srv/katz
    read only=no
    browsable=no
    force group=katz
    valid users=@katz

Now (perhaps after a reboot), /srv/hund can be accessed (read/write) by andreas and beatrix but not ciela, and /srv/katz can be accessed (read/write) by beatrix and ciela but not andreas.

All that is necessary to change a user's access is simply to change group membership using usermod.

Of course, you also should configure passwords for host accounts and Samba accounts.

Hope this is helpful.

ebsf
  • 298
  • 2
  • 9