[KLUG Members] Effective file access question/advice: Part II

[Adam Williams]

><aside/ Sadly, work prevented me from attending the KLUG ACL presentation by
>Matt Benjamin. I have been following the development of ACL capabilities in
>Linux for some time. I believe that ultimately ACL’s will be my salvation.

Yep.

>But for right now, I am afraid that trying to solve my problems by applying
>kernal patches and ACL’s would be like trying to put out a fire with
>gasoline. /aside>

What version is your RedHat?  You may not even need to apply any kernel
patches.  Does "rpm -q acl" return anything?  Rebuilding the Samba RPM
to support ACLs (if it doesn't already) is truly trivial.
 
>On my RedHat Samba file server, each user has a home and is a made a member
>of a group named for the department they belong to. Each department has a
>home created with the name of the department. This department home has a
>directory creation mask of 0775 and is SGID. The file creation mask is 0664.
>I use Samba permissions to regulate group access to the departmental shares.

Sounds like a pretty normal setup.  Only I like to set "force group"
instead of using SGID.
 
>This setup seemed to work just fine for segregating department files but
>allowed for simple read only sharing of department files.

You could create something using the replacement characters %u, %G,
etc...  Give each user another directory only they have write access to,
and read access to anyone else.

>Unfortunately, I am getting more and more end user requests for access to
>and sharing of files between specific individuals in different departments.
>Depending on the access requested, I accommodate these requests in various
>ways. For read only access, I simply put a link from the files in the
>department share to the home directory of the requesting individual. This
>seems pretty straightforward and reasonably safe.

But it becomes impossible to maintain, depending upon the size of the
network.  What happens when someone leaves, another user enters to mix?

>I create a group that consists of the department and the individual or
>individuals requiring write access to a group of department specific files.
>I then create a share that is owned by that group. I move the requested
>files into that share. I then put a symbolic link back to the original file
>location so the department doesn’t notice a change in department file
>location. I can then give the non-department user or users read access to
>what appears to be department owned files by putting a symbolic link to the
>home directory of the non-departmental person or persons requiring write
>access to just that file or group of files.

Yes, this is exactly the type of problem ACLs are meant to avoid.

>My concern is that with the proliferation of files appearing to be in
>department locations that are actually owned by a non-departmental group, I
>am going to give an unsophisticated user effective file access that would
>allow accidental deletion of files in for example the company wide read only
>share!!!

One good idea would be to use the recycle VFS module to create a network
trash can.  This gives you fall back protection against stupid users.

You can give a user of group write access to files in a directory
without giving them write access to the directory itself,  which might
be what your looking for.

>If there is an simpler or better way to accomplish this sharing of writeable
>files,  

Split up files so user roles are reflected in the physical structure. 
Spreadsheets can `include` other spreadsheets, etc...

>I would certainly love to learn how to do it. Without having ACL’s
>to fine tune access permissions, this is the best solution that my simple
>mind could come up with, and I am not confident in the outcome.
>Any suggestions would be greatly appreciated.

I'm afraid that with file sharing, without ACLs, all the solutions are a
bit kludgy.