[KLUG Members] RE: Effective file access responses

[Adam Williams]

>>What version is your RedHat?  You may not even need to apply
>>any kernel patches.  Does "rpm -q acl" return anything?  Rebuilding 
>>the Samba RPM to support ACLs (if it doesn't already) is truly
>>trivial.
>cat /etc/issue
>RedHat 5.1(Manhattan)
>Kernel 2.0.36 on an i686

Yikes!  

>rpm -q acl
>Package not installed.

Nope, no ACL support in a distro that old.

>I believe it takes kernel 2.4.19+ to even be able to build a kernel with
>ACL's.

Something like that,  but most recent distros include it.

>I am still bumping along with our trusty VA Research Pentium Pro Raid 5
>RedHat 5.1 Samba 1.9.18p5 file server (with oplocks turned off, thank you
>very much). Our recently hired software engineer is busy programming open

Holy cow.  You do realize that sub-2.2.x isn't cleared to work with
WinNTsp6+, WinY2k, or WinXpee?  Of course, I've recently bumped into
several sites that are.  Updating Samba is really easy and may provide a
nice performance kick.

>source alternatives to our proprietary in-house software. For development
>work, I gave him the dual power supply, dual NIC, Raid 1+0 with hot swap
>spare, RedHat 7.2 ext3 box from Monarch.

Nice, I don't recall if 7.2 included ACL support, but I really doubt
it.  You should update to 8.x prior to going production.  Many issues
have been resolved, performance is noticeably better, and the upgrade
should be relatively painless.

>>Sounds like a pretty normal setup.  Only I like to set "force group"
>>instead of using SGID.
>I ran into some problems when I apparently tried to make samba do more than
>the linux file system permissions allowed. So I tend to make sure the file

That version of Samba might be problematic when you start to do wierd
things.  

>system supports what I am trying to accomplish, then layer samba on top. If
>I were doing it from scratch I would try the force group, I inherited much
>of the samba settings. There are some strange global settings. Rather than
>break something that is funky but working, I just used SGID to create the
>new departments.
>>>This setup seemed to work just fine for segregating
>>department files but
>>>allowed for simple read only sharing of department files.
>>You could create something using the replacement characters %u, %G,
>>etc...  Give each user another directory only they have write
>>access to, and read access to anyone else.
>Unfortunately, as I explained at the beginning of this email most of these
>files are departmental files that have to stay available department wide.
>New employees need read only access and sometimes write access even though
>they are in a different department.

Hide files and veto files might be useful.  You can create multiple
shares that point to the same point but with differing veto settings,
etc... But I don't know how complicated your right assignments are.

>>One good idea would be to use the recycle VFS module to
>>create a network
>>trash can.  This gives you fall back protection against stupid users.
>THIS IS MUST LEARN ABOUT!!!!

It is very nice.

>>You can give a user of group write access to files in a directory
>>without giving them write access to the directory itself,  which might
>>be what your looking for.
>Are we talking samba permissions or Linux file permissions here?
>I am not sure how this would be accomplished.

Directory permissions of like r-x, gives read and scan, but not write. 
Thus you can open and modify files, but you can't create or delete files
in the directory.