[opensuse] Urge creation of a standard documented way to share a directory [WAS Re: Wanna umask inhereted from parent directory]

newer
[opensuse] loading custom kernel...

Greg Freemyer

25 May 2007 25 May '07

17:57

Top Posting intentionally because much of the context was lost in the back and forth: The request is for a shared directory that multiple users can put docs in and they are automatically given r/w access to the users, but only those users. This seems like a common need that we as a community should write-up a standard solution for. I'm willing to help, but I have not yet used the wiki, so I don't know where to put it. Also, I would like to get some consensus on the recommended Suse methodology for having a shared dir. FYI: I took the Redhat admins bootcamp a few years ago and they document a process similar to what the OP described, but it depends on a umask of 022, whereas opensuse is defaulting to 002, so this really is opensuse issue, not totally a generic linux issue. Joachim has posted what appears to be a good starting point of a wiki entry that does not require a dangerous universal umask change. Do people agree that using ACLs is the best approach. Greg On 5/23/07, Joachim Schrod wrote:

...

Fajar Priyanto wrote:

...
However, I don't think setting up the umask globally would be "as safe as" in RH, because Suse doesn't use the concept of UPG (user private group). So, if I set the umask globally, then it means every user can access those files and directory in the "test" directory.

Yes, that's right. This setting is only sensible if you don't use "users" as the group for these accounts, but a specific (different) group.

...
You mean ACL as in "extended ACL" from setfacl?

Yep. As an example, I use the following ACL setting on a SVN repository directory to ensure that www-data has always read access and group texcatal has write access, on newly created files in that directory tree:

comedy:~ # getfacl /home/ctan/texcatalogue_svn getfacl: Removing leading '/' from absolute path names # file: home/ctan/texcatalogue_svn # owner: ftpmaint # group: server user::rwx user:www-data:r-x group::r-x group:texcatal:rwx mask::rwx other::--- default:user::rwx default:user:www-data:r-x default:group::r-x default:group:texcatal:rwx default:mask::rwx default:other::---

(Btw, this is the SVN repository that drives the TeX-Catalogue, at http://www.ctan.org/tex-archive/help/Catalogue/catalogue.html.)

<snip>

...

Joachim

-- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany

-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-- Greg Freemyer The Norcross Group Forensics for the 21st Century -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Show replies by date

M Harris

26 May 26 May

06:33

On Friday 25 May 2007 12:57, Greg Freemyer wrote:

...

Do people agree that using ACLs is the best approach. Yes.

However, in all seriousness, I have never seen a practical example where using the standard unix permission bits, with careful assignment of user groups, does not work. ACLs on the other do seem to offer a level of organizational flexibility that is appealing. And automating any of this is just a matter of scripting imagination and time. -- Kind regards, M Harris <>< -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Benji Weber

07:30

On 26/05/07, M Harris wrote:

...

On Friday 25 May 2007 12:57, Greg Freemyer wrote:

...
Do people agree that using ACLs is the best approach. Yes.

However, in all seriousness, I have never seen a practical example where using the standard unix permission bits, with careful assignment of user groups, does not work.

It does not work if you are not the admin, and so cannot create groups. If one limited user wants to share their files with one specific other limited user, without letting other members of the group have access then they need ACLs. Unless you have a group for every user. _ Benjamin Weber -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Craig Millar

09:42

New subject: [opensuse] Re: Urge creation of a standard documented way to share a directory [WAS Re: Wanna umask inhereted from parent directory]

On 26/05/07 08:30 +0100, Benji Weber wrote:

...

It does not work if you are not the admin, and so cannot create groups. If one limited user wants to share their files with one specific other limited user, without letting other members of the group have access then they need ACLs. Unless you have a group for every user.

The latter being the default in debian. Still not sure how this solves the problem though - without administrative rights how would you add a user to your group? Also, you still can't control which members of your group you'd like to have access to specific items without making it available to all members of your group. Craig -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Rajko M.

11:41

On Friday 25 May 2007 12:57, Greg Freemyer wrote: ....

...

The request is for a shared directory that multiple users can put docs in and they are automatically given r/w access to the users, but only those users.

This seems like a common need that we as a community should write-up a standard solution for. I'm willing to help, but I have not yet used the wiki, so I don't know where to put it. Also, I would like to get some consensus on the recommended Suse methodology for having a shared dir.

You can create article with title: "Creating shared directory" and list it in http://en.opensuse.org/HOWTOs or "SDB:Creating shared directory" but look in http://en.opensuse.org/SDB:Howto for details how to write the SDB article. Note that SDB: means SDB namespace as defined in http://www.mediawiki.org/wiki/Help:Namespaces but SDB is the one specific for openususe.org. .... -- Regards, Rajko. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Fajar Priyanto

27 May 27 May

01:12

On Saturday 26 May 2007 00:57, Greg Freemyer wrote:

...

FYI: I took the Redhat admins bootcamp a few years ago and they document a process similar to what the OP described, but it depends on a umask of 022, whereas opensuse is defaulting to 002, so this really is opensuse issue, not totally a generic linux issue.

Joachim has posted what appears to be a good starting point of a wiki entry that does not require a dangerous universal umask change.

Do people agree that using ACLs is the best approach.

Hello Greg, After experimenting with ACL, I think we can create the similar result from RedHat case regarding shared directories. So, here's the scenario: 3 groups: sales, finance, management sales and finance can ONLY access their designated directories management has FULL access to sales and finance directories User in the same group can modify each other's files, but ONLY owner can delete files. So, in order to achieve that, we need to set: Each file and directory created by the user should be owned by his group Each file and directory created by the user should be modifiable by peers in his group Here's the steps (as root): 1. creating groups: groupadd sales groupadd finance 2. creating users: useradd -g sales sales1 useradd -g sales sales2 useradd -g finance finance1 useradd -g finance finance2 3. creating directories: mkdir -p /sharedir/{sales,finance} 4. setting ownership and permission on directories: chown .sales /sharedir/sales chown .finance /sharedir/finance chmod 3770 /sharedir/{sales,finance} (The 3770 gives sticky bit so that only owner can delete, and sgid for inherit ownership from parent dir) 5. Setting ACL: setfacl -d -m group:sales:rw /sharedir/sales setfacl -d -m group:finance:rw /sharedir/finance 6. Testing: - Switch to each user by su -, and then try to enter sales and finance dir. Should be successful only on dir with the same group. - Switch to each user by su -, and then try to create file in the designated dir, and then switch to other user in the same group and try to modify the file, should be successful. - Still as the above user, try to delete other's file, should be failed Well, I guess that's it. As a RedHat admin point of view, this procedure seems to be a bit 'unnecessary'. But, after a second thought, I think this shows that Suse has been utilizing many recent features of Linux. Bravo Suse! CMIIW, -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 8:11am up 1:49, 2.6.18.2-34-default GNU/Linux Let's use OpenOffice. http://www.openoffice.org

Fajar Priyanto

02:04

On Sunday 27 May 2007 08:12, Fajar Priyanto wrote:

...

5. Setting ACL: setfacl -d -m group:sales:rw /sharedir/sales setfacl -d -m group:finance:rw /sharedir/finance

Ugh, I forgot the management guys: groupadd management useradd -g management boss1 setfacl -d -m group:management:rw /sharedir/{sales,finance} Testing as boss1 to enter sales and finance dir, and modify some files. It should work.

...

Bravo Suse!

CMIIW, -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 9:04am up 2:41, 2.6.18.2-34-default GNU/Linux Let's use OpenOffice. http://www.openoffice.org

Darryl Gregorash

04:40

On 2007-05-26 20:04, Fajar Priyanto wrote:

...

On Sunday 27 May 2007 08:12, Fajar Priyanto wrote:

...
5. Setting ACL: setfacl -d -m group:sales:rw /sharedir/sales setfacl -d -m group:finance:rw /sharedir/finance

Ugh, I forgot the management guys: groupadd management useradd -g management boss1 setfacl -d -m group:management:rw /sharedir/{sales,finance}

Testing as boss1 to enter sales and finance dir, and modify some files. It should work.

Good explanation (it must be, since I was able to understand it :-) ) Following this thread, I think I saved myself a lot of grief trying to read manpages, etc. Would you care to document this now on the opensuse Wiki? :-) -- Moral indignation is jealousy with a halo. -- HG Wells -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Fajar Priyanto

06:50

On Sunday 27 May 2007 11:40, Darryl Gregorash wrote:

...

Good explanation (it must be, since I was able to understand it :-) ) Following this thread, I think I saved myself a lot of grief trying to read manpages, etc.

Would you care to document this now on the opensuse Wiki? :-)

http://en.opensuse.org/User_talk:Fajarpri Pls expand/correct it, as I'm very new on how to use the wiki. Salut, -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 1:49pm up 7:27, 2.6.18.2-34-default GNU/Linux Let's use OpenOffice. http://www.openoffice.org

Greg Freemyer

29 May 29 May

22:45

On 5/27/07, Fajar Priyanto wrote:

...

On Sunday 27 May 2007 11:40, Darryl Gregorash wrote:

...
Good explanation (it must be, since I was able to understand it :-) ) Following this thread, I think I saved myself a lot of grief trying to read manpages, etc.

Would you care to document this now on the opensuse Wiki? :-)

http://en.opensuse.org/User_talk:Fajarpri Pls expand/correct it, as I'm very new on how to use the wiki. Salut, -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 1:49pm up 7:27, 2.6.18.2-34-default GNU/Linux Let's use OpenOffice. http://www.openoffice.org

Fajar, I took a look at what you did and the write-up looks good to me. (I made one small change but I did not actually test the procedure. I assume it works.) I'm new to adding content to the wiki too, but it looks like you are following the Howto guidelines: http://en.opensuse.org/Help:Writing_HOWTO I guess it needs to go at the end of the list of Howtos: http://en.opensuse.org/Howto#Yet_to_be_indexed_Howtos How does it get there? Greg -- Greg Freemyer The Norcross Group Forensics for the 21st Century -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Greg Freemyer

23:37

On 5/29/07, Greg Freemyer wrote:

...

On 5/27/07, Fajar Priyanto wrote:

...
On Sunday 27 May 2007 11:40, Darryl Gregorash wrote:

...
Good explanation (it must be, since I was able to understand it :-) ) Following this thread, I think I saved myself a lot of grief trying to read manpages, etc.

Would you care to document this now on the opensuse Wiki? :-)

http://en.opensuse.org/User_talk:Fajarpri Pls expand/correct it, as I'm very new on how to use the wiki. Salut, -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 1:49pm up 7:27, 2.6.18.2-34-default GNU/Linux Let's use OpenOffice. http://www.openoffice.org

Fajar,

I took a look at what you did and the write-up looks good to me. (I made one small change but I did not actually test the procedure. I assume it works.)

All, I tried to click discussion on Fajar's page and put this there, but it did not seem to work. Surely there is a way to discuss a new howto without having to do it here? ===> Howto issues I tested the concepts in the write-up using existing users. On an XFS volume it works. On ext3 by default, it does not (ie. ACLs not supported). Per an old suse 8.1 article it needs to be enabled for ext3. http://en.opensuse.org/SDB:POSIX_Access_Control_List_%28ACL%29_Support I added a first step that says to enable ACLs and points to the above. Likely that needs fleshing out. Also, it looks like that ACL article may need an update to something written in the last couple years. Greg -- Greg Freemyer The Norcross Group Forensics for the 21st Century -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Fajar Priyanto

30 May 30 May

00:08

On Wednesday 30 May 2007 06:37, Greg Freemyer wrote:

...

All,

I tried to click discussion on Fajar's page and put this there, but it did not seem to work. Surely there is a way to discuss a new howto without having to do it here?

Hello Greg, I guess it's better if we put the howto into the root directory? Because I notice when we 'search' for article, User's talk is not included by default. So I have put it in http://en.opensuse.org/How_to_share_directories_between_groups_of_users_usin... with all the latest updates, please edit it if you find anything missing.

...

===> Howto issues I tested the concepts in the write-up using existing users.

On an XFS volume it works. On ext3 by default, it does not (ie. ACLs not supported).

Per an old suse 8.1 article it needs to be enabled for ext3. http://en.opensuse.org/SDB:POSIX_Access_Control_List_%28ACL%29_Support

On Opensuse10.2 I notice that ACL support is enabled by default in the /etc/fstab: /dev/sda2 / ext3 acl,user_xattr 1 1 /dev/sda3 /home ext3 acl,user_xattr 1 2

...

I added a first step that says to enable ACLs and points to the above. Likely that needs fleshing out.

I added the example of the content of /etc/fstab to check whether ACL is enabled.

...

Also, it looks like that ACL article may need an update to something written in the last couple years.

Good idea. It will give good impression too to the new users. Thanks. -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 6:59am up 0:40, 2.6.18.2-34-default GNU/Linux Let's use OpenOffice. http://www.openoffice.org

Greg Freemyer

16:39

In 5/29/07, Fajar Priyanto wrote:

...

On Wednesday 30 May 2007 06:37, Greg Freemyer wrote:

...
All,

I tried to click discussion on Fajar's page and put this there, but it did not seem to work. Surely there is a way to discuss a new howto without having to do it here?

Hello Greg, I guess it's better if we put the howto into the root directory? Because I notice when we 'search' for article, User's talk is not included by default. So I have put it in http://en.opensuse.org/How_to_share_directories_between_groups_of_users_usin... with all the latest updates, please edit it if you find anything missing.

Great. Now that it is moved the "discussion" button on the bottom brings us a page. I added some comments there and added that page to my watch list. That way we can continue to tweak that Howto without having to bother the whole list. Please read that discussion page. FYI: In the footer of the new howto it shows that the page has already been accessed 99 times. Several of those were likely me, but it seems other people are looking at it as well.

...

...
===> Howto issues I tested the concepts in the write-up using existing users.

On an XFS volume it works. On ext3 by default, it does not (ie. ACLs not supported).

Per an old suse 8.1 article it needs to be enabled for ext3. http://en.opensuse.org/SDB:POSIX_Access_Control_List_%28ACL%29_Support

On Opensuse10.2 I notice that ACL support is enabled by default in the /etc/fstab: /dev/sda2 / ext3 acl,user_xattr 1 1 /dev/sda3 /home ext3 acl,user_xattr 1 2

...
I added a first step that says to enable ACLs and points to the above. Likely that needs fleshing out.

I added the example of the content of /etc/fstab to check whether ACL is enabled.

I tweaked this some.

...

...
Also, it looks like that ACL article may need an update to something written in the last couple years.

Good idea. It will give good impression too to the new users. Thanks. -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 6:59am up 0:40, 2.6.18.2-34-default GNU/Linux Let's use OpenOffice. http://www.openoffice.org

Greg -- Greg Freemyer The Norcross Group Forensics for the 21st Century -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

6177

Age (days ago)

6182

Last active (days ago)

List overview

Download

12 comments

7 participants

participants (7)

Benji Weber
Craig Millar
Darryl Gregorash
Fajar Priyanto
Greg Freemyer
M Harris
Rajko M.