[KLUG Members] Effective file access question/advice: Part I

[Adam Williams]

>Gentlemen and Scholars,

Scholar, maybe, of a peculiar sort.  But I've never worn a tie in my
life, so gotta decline the first one.
 
>My lack of understanding of effective file access became abundantly evident
>when I recently had a user request that I create a temporary share for read
>only company wide access to files in a subdirectory of his home.

Hmmm, I can see it starting. :)
 
>In my naivety I put a symbolic link in a company wide read only share from
>the users files that had permissions of 0644 in a subdirectory that had
>permissions of 0775 in a home that had permissions 0700. The files did not
>show up in the company wide read only samba share until I temporarily
>changed the permissions on the home directory to 1775. I am hoping that by
>setting the sticky bit on the user’s home, it will give others the temporary
>read only access to the files but prevent anyone but the user from
>accidentally deleting any of these shared files.

Ah, yes, I've been there.  Users want goofy adhoc file sharing capacity
but want you to make it seemless and secure.  Gotta love 'em.

Rule#1 - Home directories are just that.  It is much better to leave
them alone.

Rule#2 - Temporary never is, you'll end up maintaining this forever
unless you want to break a myriad of peoples shortcuts, recent files,
and other stupid crap that users use without even realizing what they
are.  When that happens, of course, it is your fault and "the system"
sucks.

Sharing files read only is odd.  You'd be much better off using a shared
mail folder or possibly DAV rather than Samba.  Personally I've learned
that file sharing is always the last resort / last ditch method for data
distribution/sharing.  Of course it is always the first method that
occurs to users.  It is the hardest to backup, secure, and manage.  And
the meaningless gibberish that users come up for file names?  Sheesh...

>Having to change the permissions on his home to 1775 to give others access
>to these files seems to suggest that having permissions 0700 on a user home
>implies an effective file access of 0700 on subdirectories of the home. That
>is, no one but the home user and root can list, create or delete files in
>the users home even if the subdirectory or files below are symbolically
>linked to another location.

Right, I like 0700 for home directories.