Killed Windows NT Unix

14 Access rights in the file system


1 99 14 Access Rights in the File System Section 13.2 showed you how you can use Samba to control access to shares yourself. Here you have very similar options with Samba as with NT. The analogy between Unix / Samba and NT does not stop there. If the file system released under NT is formatted with NTFS, you can assign rights for users and groups with the help of Access Control Lists (see Chapter 15). 1 Unix and Samba work in a similar way: If a user has successfully connected to a share, he exercises his normal rights as a Unix user in the file system. If a user wants to write to a file, he must be allowed to do so on the basis of his share and file system rights. The rights described in section 13.2 cannot extend the underlying Unix rights. This means that Samba can grant write authorization for certain shares. However, the user who accesses can only really write to the released files and directories if he is also allowed to do so under Unix. This restriction by Unix rights is an important principle of Samba: Samba does not implement its own access controls in the file system, but relies on the Unix mechanisms. Samba could theoretically maintain its own database of access rights. The complete NT semantics of Access Control Lists could be stored and implemented in this database. There are two reasons against this approach: Samba users exercise normal Unix rights. Samba does not implement file rights of its own. If Samba actually implemented file system rights, the developers would be responsible for ensuring that these are correctly observed. Access rights to files are already implemented excellently by the operating system. 1 With NT, you can also explicitly use rights, which Unix unfortunately does not offer.

2 Access rights in the file system, so why should one negotiate the additional complexity? 2 As soon as Samba implements its own ACL database, this only applies to file access via SMB. It is not possible to keep Samba ACL in sync with the Unix file system if access from Unix processes is also allowed. If directory trees change without Samba being involved, how is Samba supposed to adjust the ACLs correctly? DOS attributes also exist in the latest Windows. Closely interwoven with Unix access rights to files is the handling of DOS attributes in the implementation of Samba. These attributes are properties of files that do not exist in this form under Unix. However, many applications that access a network drive require functioning attributes. The archive attribute in particular is used by many programs. DOS knows four different attributes that can be assigned to files: Read-Only The content of this file can only be read, but not written. The file cannot be deleted. System This file is intended for special operating system purposes. Hidden This file is not displayed with the DIR command. Archive The archive bit is set with every write access. Backup programs are free to reset this bit. This enables an incremental backup. The write protection bit is not a real protection. These bits can be freely set and reset under DOS by any user. The write protection bit is therefore not to be understood as a real access protection, but only as a small aid against incorrect operation. 2 From a marketing point of view, it can be important to implement full NT compatibility, which Samba has not yet offered with the Unix rights model. There are patches that implement their own ACL database. These have been published on the mailing list, but not yet integrated into Samba.

3 14.1 From DOS Attributes to Unix Rights From DOS Attributes to Unix Rights Unix carries a set of access rights with every file. These are divided into three groups of users: the file owner, the owning group, and everyone else. Each group can be assigned three rights: read, write and execute. Execution rights are not used under DOS. They are available for Samba to map the DOS attributes in the Unix file system. The write protection bit under DOS has a counterpart to the write authorization of the file owner under Unix. Except for the implementation of the write protection bit, the implementation of the attributes under Samba can be controlled with the corresponding parameters map , whereby the archive bit is implemented without additional information, the other two attributes not. The attribute conversion is based on the following table: Samba converts attributes to x-bits Attribute Unix rights Mask map Default write protection w Owner always Archive x Owner 100 archive yes System x Group 010 system no Hidden x Other 001 hidden no Table 14.1 Mapping of DOS -Attributes Samba must now convert these two file attributes into one another. On the one hand, Samba must generate the appropriate attributes for the Windows properties dialog for files from the Unix rights. On the other hand, Samba must assign Unix rights to newly created files. If a new file is created, the client transfers the DOS attributes with which it would like the file to be created to the server. Samba forms a set of Unix access rights based on the client's request. These rights are restricted by the create mask parameter. The standard setting for the create mask is 744, which corresponds to the mask rwxr - r--. The file owner has read and write access, all others have read access only. Samba restricts the rights by combining the desired set of rights with the create mask with a logical AND operation. Only the rights that are set in the create mask can possibly appear in the newly created file. In a further step, Samba explicitly sets the desired access rights using the Para-Client defines attributes for new files. Samba changes rights

4 Access rights in the file system Only owner and group need access meters force create mode, the default value of which is 000. This is done using an OR link with this value. These relationships become clearer with an example. You may want only the file owner and the group to have read access to newly created files. The rest of the world should not be able to read these files. This is achieved by setting the create mask = 740, i.e. masking out the read authorization for the rest of the world. It may also be desired that the owning group is granted write access. This can be achieved with force create mode = 020. In table form this means: request rw-r - r-- create mask 740 AND rw-r ----- rw-r ----- force create mode 020 OR ---- w ---- result rw -rw ---- x-bit has a different effect on directories than it does on files. Execution rights to files are not used under DOS, so they can be used to store DOS attributes in the Unix file system. Execution rights on directories, however, affect the behavior of Samba because they regulate access to the directories. It can therefore be desirable that the assignment of rights to files and directories is regulated differently. The two parameters create mask and force create mode therefore only affect newly created files. The parameters directory mask and force directory mode are responsible for directories. The default value for directory mask is 755 in order to enable access for the group and the rest of the world, the default value for force directory mode does not have any additional rights. Example: a project directory Often a number of users have to be given the option to write together in one share. With Samba there are many possibilities for implementation, all of which are suitable for different situations. A simple project directory for the fibu group can be implemented as follows:

5 14.2 Example: a project directory 103 [fibu] path = / data / fibu writeable = yes valid users mueller, meier This gives the fibu group the right to write access to this share. Mueller and Meier, who are not members of the financial accounting, are also allowed to write. In order for problem-free shared access to be possible, the assignment of rights must be regulated in the Unix file system. It is assumed here that in Unix itself only users of the fibu group should access / data / fibu. meier and mueller are not members of the fibu group, but should still be able to write. A special regulation must be created for them that cannot be mapped with standard Unix rights. If you wanted to solve this within Unix, you would have to use Access Control Lists (ACLs). These are described in more detail in Chapter 15. In many cases, however, you can get by without ACLs, since Samba with its settings for shares offers more than Unix in the file system. If you don't have ACLs, there is a very simple way of avoiding any problems with file sharing: the force user parameter. If you want to use this parameter, you should create a separate user for each group share and then transfer the shared directory to them: Samba knows flexible access rights to shares> mkdir -p / data / fibu> useradd fibuuser> chown projektuser / data / fibu /> chmod 770 / data / fibu The release then looks like this: [fibu] path = / data / fibu writeable = yes valid users mueller, meier force user = fibuuser With this definition, access control is carried out normally based on valid users. Only the users mentioned there have access to the share. After access has been granted, Samba forgets the name with which share access controls itself, access synchronized under Unix

6 Access rights in the file system With group write rights, shared access the user has logged on. Samba uses the user fibuuser for all access to the file system. You no longer have to worry about shared access rights in Unix, since you only work under a single user ID anyway. However, you lose traceability because all files belong to fibuuser. This is especially indicated in the corresponding Windows dialog. With a little more effort, however, you can manage to save the file owner correctly and at the same time allow shared write access. You can create the shared Unix directory / data / fibu with the correct group writing rights as follows:> mkdir -p / data / fibu> groupadd fibu> chgrp fibu / data / fibu /> chmod 770 / data / fibu The users of the group fibu can create files in this directory without any problems and also change your own files. However, there are still two problems. Mueller and Meier cannot access the directory because Unix denies them access. The users from the fibu group do not necessarily have to have this group as their main group. This means that newly created files may belong to different groups. This special problem could be solved with the set-group-id-bit on the directory / data / fibu: chmod g + s / data / fibu mueller and meier were still left out because they are not in the group fibu, therefore do not have write access to the / data / fibu directory. force group enforces correct group membership Both problems can be dealt with with the parameter force group = fibu. This parameter works exactly like force user, only that it refers to the group ID instead of the user ID. Any file system access is carried out as a fibu group, the user ID remains unaffected. The last thing you have to do is make sure that the group, in this case fibu, can always write and that the rest of the world cannot access it. The complete release definition looks like this:

7 14.3 Global and release parameters 105 [fibu] path = / data / fibu writeable = yes valid users mueller, meier force group = fibu create mask = 740 directory mask = 750 force create mode = 020 force directory mode = global and release parameters At the latest with the Definition of the release [fibu] with its many parameters it becomes obvious that it can be very exhausting to define all these parameters correctly. In order to get specifications for parameters, you have to clarify the difference between global and release parameters. In the reference to smb.conf there is a (G) or an (S) after each description. The parameters with (G) belong in the [global] section, such as the workgroup parameter. The path parameter, on the other hand, is marked with an (S) and therefore belongs to a release definition. If you now set release parameters in the [global] section, default values ​​are set for all releases. The various parameters for the file mask could be set in the [global] section and could thus shorten the individual release definitions considerably. For other releases, however, you have to set the changed default values ​​correctly again. There is another solution for this problem: The parameter copy copies all settings of another release definition into the current release. For example, if you want to create another group release analogous to the [fibu] release, its definition can be much shorter: Share parameters in [global] specify defaults [purchasing] copy = fibu path = / data / purchasing force group = purchasing valid users Only the parameters that differ from the release [fibu] must be set again.

8 Access rights in the file system 14.4 Project directories, secondly NetWare can hide directories Set-Group-ID-Bit sets file group The following problem arises quite often when migrating from Novell to Samba: Under Novell you can regulate access to directories based on group memberships . This is also possible under Samba using Unix rights. Unfortunately, what Unix doesn't provide is the ability to hide directories from users. A user basically sees all directories, but receives a message for many of these directories that access has been denied. If it were now possible, based on the user's group membership, to display only the directories to which he actually has access, the directories could become much clearer. The flexibility of Samba makes it possible to circumvent this restriction imposed by Unix. This is done with the help of scripts that are executed before connecting to a share. The following scenario is assumed: Each user is divided into several groups, each of which can represent projects, work groups or departments. Each of these groups has its own directory under / data / groups to which it can write. The individual directories have set the set group ID bit so that the newly created files belong to the respective groups. As an example there are the three groups EDV, FIBU and SALES. The following group directories can be created under / data / groups: ls -l total 12 drwxrws --- 2 root edv 4096 Jan 31 06:43 edv drwxrws --- 2 root fibu 4096 Jan 31 06:43 fibu drwxrws --- 2 root sales 4096 Jan 31 06:43 sales You can create the directory EDV together with its correct access rights as follows: mkdir / data / groups / EDV chgrp EDV / data / groups / EDV chmod 2770 / data / groups / EDV A share that every user Granted access to this based on his rights can look like this:

9 14.4 Project directories, secondly 107 [allgroups] path = / data / groups writeable = yes create mode = 740 directory mode = 750 force create mode = 020 force directory mode = 020 Please note that there are no additional restrictions based on valid users are necessary because access is restricted by Unix rights. The parameters create mask and directory mask are not strictly necessary because the users are already rejected at the / data / share level. The parameters force create mode and force directory mode, on the other hand, are necessary because without them newly created files would not have the group write rights that they require for joint access. Functionally, this release precisely fulfills the requirements that everyone is allowed to write to the directories for which they have group membership. The disadvantage of this method is that it sees all other directories, which can be confusing on large servers with many groups. The preexec scripts from Samba enable the group structure to be clearly displayed. A preexec script is run before the user is actually connected to the share. Group write permissions only with force create mode preexec scripts are executed on connect [groups] path = / data / users /% u root preexec = / usr / local / bin / mklinks% U writeable = yes The file mklinks has the following content: #! / bin / sh umask 022 cd / data / users rm -rf "$ 1" mkdir "$ 1" cd "$ 1" for i in $ (groups $ 1) do ln -s "/ data / groups / $ i". done If a user connects to the share, the directory / data / users / username is freshly created. Inside this

10 Access rights in the file system Directory access only via Symlinks Admins have access to all directories In the directory, a list of symbolic links is created based on the group membership of the user, which refer to the actual group directories. This means that he only gets the directories displayed in Explorer that he actually has access to.Specifying path = / data / users /% u also ensures that the share has the same name for all users, but refers to a separate directory for each user. In this example, the script is executed as root preexec in order to minimize the administrative effort when creating new users. With a pure preexec without root rights, it would be necessary to create a separate directory with the necessary rights for each user in / data / users. However, this procedure may only be used if the user names are under trustworthy control. If it is possible for user names to be obtained from an NIS server, for example, the entire file system can be deleted using a user name ../ ... If an NIS server is involved, the procedure must be used without root preexec and only with preexec without root rights. Alternatively, the directory with the group list could be created in the home directory of the user. However, this could affect the clarity of the user directories. Another argument for running the script under root privileges is to relieve the administrators. Without root rights for the script, the user can completely exclude himself from a group directory by deleting the entire directory including the symbolic link. With the version shown, the directory with the symbolic links belongs to the user root, and operating errors at this level are excluded. If you set the share [allgroups] to browseable = no, you have maximum clarity with full access to all group directories by the administrator. If the group memberships of a user change, he can get a new view of the directory structure simply by reconnecting to the share. This reconnection can be forced by killing the correct server process. You can easily find this out with the smbstatus program.