DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 1st April 2009
da1 da1 is offline
Port Guard
 
Join Date: Feb 2009
Location: Berlin, DE
Posts: 28
Thanked 1 Time in 1 Post
Default ACL, Samba ACL, FTP acl

Hell-o you gurus

First, grab a cup of tea/coffee, because this is a long reading.

Info:
FreeBSD 7.1-STABLE
pure-ftpd-1.0.21_4
samba-3.2.8

Now, starting from the tail, this is what I, eventually, want to get at: several accounts (ftpadmin, smbadmin and some more limited ftp accounts) that all have the same parent folder (and some child folders as well) and wich each cp/mv action whatever account makes, all files *will* eventually end up on disk with root:wheel ownage and 770 perm.

I have a folder named /mnt. On this folder I enabled acl.
Code:
# file: mnt
# owner: root
# group: wheel
user::rwx
user:root:rwx
user:smbadmin:rwx
user:ftpadmin:rwx
group::---
mask::rwx
other::---
ls -allh
Code:
drwxrwx---+  8 root  wheel      512B Apr  1 14:18 mnt
As you can see I have a "smbadmin" account. This account has rwx and this it what it does. Together with samba's mod-acl (or whatever it's called) it allowes me to rwx files from a win xp box. Also, when I copy files through samba, files end up with parent unix folder permisions, ownage (root:wheel and 770 - this is recursively ) and also inherit ACL. (viewable as the "+" thinghy). I whant the same for the "ftpadmin" account.

1)Now, thinking samba-like, beetween ftp and the sistem acl there should be a midleman (like samba mod-acl) that converts file ownage from smbadmin(eventually ftpadmin) to root:wheel. Had no luck with that, didn't find no modules/script capable of that.Maybe samba works in some other way that I didn't figure out.

2)Next, I've read about execution bits and applyes these commands
Code:
chmod -R u+s /mnt
chmod -R g+s /mnt
This thing half-solved the problem. In the way that all files/folders created ftom ftp (ftpadmin) ended up on disk being owned by the "wheel" group. Unfortunatelly, the user remained "ftpadmin", and did not inherit ACL (no "+" at end of file permision on "ls -all") No luck with this one either. Maybe misread/misinterprited/misapplyed these commands?

3)Next, followed the crumbs of a ACL permision inheritance for newly created/cp'd/mv'd files. Did some reading and found a thing that I think will solve all my problems, the "default:user::" ACL entry. Unfortunatelly, in FreeBSD this is incorect. I latter read/succesfully tryed these settings on solaris.

So you see, I'm in a bit of a confused state of mind. Have no ideea wich path to take (the ftp samba-like midleman, the chmod way, or maybe the 3rd way of forcing all new files in the /mnt folder to have specific ownage and permisions). To my brain, the 3rd way should be the way to go, but am in definatelly need of some guidance/books something.

In other words...uhm... help !?

Last edited by da1; 1st April 2009 at 07:29 PM.
Reply With Quote
  #2   (View Single Post)  
Old 1st April 2009
da1 da1 is offline
Port Guard
 
Join Date: Feb 2009
Location: Berlin, DE
Posts: 28
Thanked 1 Time in 1 Post
Default UPDATE #1

All this works from a ssh session logged in as root. If I create a file through FTP with ftpadmin usr, newly create files and/or folders still belong to ftpadmin:wheel, but because ACL inherits above permisions it is accessible (rwx) by the smbadmin usr

After googleing for 2 minutes I came across an article that explained the situation (http://www.onlamp.com/pub/a/bsd/2003...ebsd_acls.html).

So basicly " Default ACLs don't work quite like regular ACLs do. You cannot set specific entries on a default ACL until you add the generic user::, group::, and other:: entries."

thus
Code:
setfacl -d -m u::rwx,g::rwx,o::---,m::rwx,u:smbadmin:rwx,u:ftpadmin:rwx,m::rwx mnt
this also "inherits" the parent ACL (-d = "The operations apply to the default ACL entries instead of access ACL entries" <- quoted from the manual). This I didn't know. I had no ideea that in fact there were 2 ACL entryes, a default ACL entry and a access ACL entry.
This unfortunatelly has a draw back (either that or I didn't do something correctly). The drawback is that "getfacl [folder]" doesn't provide an output similar to solaris. This is what I mean... On solaris one would have (notice the default options)
Code:
# file: muzica
# owner: root
# group: wheel
user::rwx
user:smbadmin:rwx
user:ftpadmin:rwx
group::---
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::rwx
default:group:wheel:rwx
default:other:---
but on FreeBSD (getfacl [file])I have
Code:
# file: muzica
# owner: root
# group: wheel
user::rwx
user:smbadmin:rwx
user:ftpadmin:rwx
group::---
mask::rwx
other::---
There is no mistake here. On FreeBSD in order to see the default ACL entry one must use "getfacl -d [folder]" instead of simply "getfacl [folder]"


Thus "mkdir test" in /mnt folder provides
Code:
drwxr-x---+  2 root  wheel   512 Apr  1 19:40 test
with that nice looking "+" symbolizing the "inherit" of ACL.Now let's get the acl of that dir to see if it did inherit

Code:
[da1@da1.ro /mnt]# getfacl test
# file: test
# owner: root
# group: wheel
user::rwx
user:smbadmin:rwx               
user:ftpadmin:rwx               
group::rwx              
mask::rwx
other::---
So yes, it did inherit it.

Now, I only set these options for the /mnt folder, if I cd into it, and then into another folder (say /mnt/test) and whant to create another folder (say /mnt/test/test2) this folder will NOT inherit /mnt's ACL. I need to recursively setfacl for all /mnt's subdirectoryes. Remember that long command I did? gotta use it again and this time the total command will be a blast. Here's what to do to apply something recusively:

Now, before the fun, I remember the manual saing something about the "-d" option and that was that "Currently only directories may have default ACL's". With that in mind, I set out to setfacl recursevly only for directories, like so:

Code:
find /mnt -type d -exec setfacl -d -m u::rwx,g::rwx,o::---,m::rwx,u:smbadmin:rwx,u:ftpadmin:rwx,m::rwx {} \;
use the WHOLLE comand (especially the \; (backslash and semicolon)).This particular command will load your hdd until it is finished, but don't panic, it's normal.
All done, let's see

cd into /mnt/programe (programe means programs ) and create a folder
Code:
[da1@da1.ro /mnt]# cd programe
[da1@da1.ro /mnt/programe]# mkdir test5
[da1@da1.ro /mnt/programe]# ls -all | grep test5
drwxr-x---+  2 root  wheel        512 Apr  1 19:54 test5
[da1@da1.ro /mnt/programe]#
Success!


Now let's see the files part. Acording to the manual I cannot set a default ACL for files.
Code:
[da1@da1.ro /mnt]# :> filetest
[da1@da1.ro /mnt]# ls -all | grep filetest
-rw-r-----+  1 root  wheel     0 Apr  1 19:56 filetest
[da1@da1.ro /mnt]# getfacl filetest
# file: filetest
# owner: root
# group: wheel
user::rw-
user:smbadmin:rwx               
user:ftpadmin:rwx               
group::rwx              
mask::rwx
other::---
[da1@da1.ro /mnt]#
Same happens wherever I cd into /mnt. Wherever I create files and/or folders they inherit the parent's ACL. However, on already created files I cannot set default ACL, only access ACL. So if one would whant to add a user to all files in a folder (so that that user would have some permision) they would need
Code:
find /mnt -type f -exec setfacl -m u:usr:---,g:grp:---,m::--- {} \;
you get the picture

All this works from a ssh session logged in as root. If I create a file through FTP with ftpadmin usr, newly create files and/or folders still belong to ftpadmin:wheel, but because ACL inherits above permisions it is accessible (rwx) by the smbadmin usr

Last edited by da1; 2nd April 2009 at 03:28 PM.
Reply With Quote
  #3   (View Single Post)  
Old 1st April 2009
da1 da1 is offline
Port Guard
 
Join Date: Feb 2009
Location: Berlin, DE
Posts: 28
Thanked 1 Time in 1 Post
Default ACL inheritance on files/folders [SOLVED]

All this works from a ssh session logged in as root. If I create a file through FTP with ftpadmin usr, newly create files and/or folders still belong to ftpadmin:wheel, but because ACL inherits above permisions it is accessible (rwx) by the smbadmin usr

After googleing for 2 minutes I came across an article that explained the situation (http://www.onlamp.com/pub/a/bsd/2003...ebsd_acls.html).

So basicly " Default ACLs don't work quite like regular ACLs do. You cannot set specific entries on a default ACL until you add the generic user::, group::, and other:: entries."

thus
Code:
setfacl -d -m u::rwx,g::rwx,o::---,m::rwx,u:smbadmin:rwx,u:ftpadmin:rwx,m::rwx mnt
this also "inherits" the parent ACL (-d = "The operations apply to the default ACL entries instead of access ACL entries" <- quoted from the manual). This I didn't know. I had no ideea that in fact there were 2 ACL entryes, a default ACL entry and a access ACL entry.
This unfortunatelly has a draw back (either that or I didn't do something correctly). The drawback is that "getfacl" doesn't provide an output similar to solaris. This is what I mean... On solaris one would have
Code:
# file: muzica
# owner: root
# group: wheel
user::rwx
user:smbadmin:rwx
user:ftpadmin:rwx
group::---
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::rwx
default:group:wheel:rwx
default:other:---
but on FreeBSD I have
Code:
# file: muzica
# owner: root
# group: wheel
user::rwx
user:smbadmin:rwx
user:ftpadmin:rwx
group::---
mask::rwx
other::---
Again, maybe I screw up somewere, but "default" works. ACL is inherited; and that's the wholle purpose of that.


Thus "mkdir test" in /mnt folder provides
Code:
drwxr-x---+  2 root  wheel   512 Apr  1 19:40 test
with that nice looking "+" symbolizing the "inherit" of ACL.Now let's get the acl of that dir to see if it did inherit

Code:
[da1@da1.ro /mnt]# getfacl test
# file: test
# owner: root
# group: wheel
user::rwx
user:smbadmin:rwx               
user:ftpadmin:rwx               
group::rwx              
mask::r-x
other::---
So yes, it did inherit it.

Now, I only set these options for the /mnt folder, if I cd into it, and then into another folder (say /mnt/test) and whant to create another folder (say /mnt/test/test2) this folder will NOT inherit /mnt's ACL. I need to recursively setfacl for all /mnt's subdirectoryes. Remember that long command I did? gotta use it again and this time the total command will be a blast. Here's what to do to apply something recusively:

Now, before the fun, I remember the manual saing something about the "-d" option and that was that "Currently only directories may have default ACL's". With that in mind, I set out to setfacl recursevly only for directories, like so:

Code:
find /mnt -type d -exec setfacl -d -m u::rwx,g::rwx,o::---,m::rwx,u:smbadmin:rwx,u:ftpadmin:rwx,m::rwx {} \;
use the WHOLLE comand (especially the \; (backslash and semicolon)).This particular command will load your hdd until it is finished, but don't panic, it's normal.
All done, let's see

cd into /mnt/programe (programe means programs ) and create a folder
Code:
[da1@da1.ro /mnt]# cd programe
[da1@da1.ro /mnt/programe]# mkdir test5
[da1@da1.ro /mnt/programe]# ls -all | grep test5
drwxr-x---+  2 root  wheel        512 Apr  1 19:54 test5
[da1@da1.ro /mnt/programe]#
Success!


Now let's see the files part. Acording to the manual I cannot set a default ACL for files.
Code:
[da1@da1.ro /mnt]# :> filetest
[da1@da1.ro /mnt]# ls -all | grep filetest
-rw-r-----+  1 root  wheel     0 Apr  1 19:56 filetest
[da1@da1.ro /mnt]# getfacl filetest
# file: filetest
# owner: root
# group: wheel
user::rw-
user:smbadmin:rwx               
user:ftpadmin:rwx               
group::rwx              
mask::rwx
other::---
[da1@da1.ro /mnt]#
Same happens wherever I cd into /mnt. Wherever I create files and/or folders they inherit the parent's ACL. However, on already created files I cannot set default ACL, only access ACL. So if one would whant to add a user to all files in a folder (so that that user would have some permision) they would need
Code:
find /mnt -type f -exec setfacl -m u:usr:---,g:grp:---,m::--- {} \;
you get the picture

All this works from a ssh session logged in as root. If I create a file through FTP with ftpadmin usr, newly create files and/or folders still belong to ftpadmin:wheel, but because ACL inherits above permisions it is accessible (rwx) by the smbadmin usr

Last edited by da1; 2nd April 2009 at 03:29 PM.
Reply With Quote
  #4   (View Single Post)  
Old 3rd April 2009
da1 da1 is offline
Port Guard
 
Join Date: Feb 2009
Location: Berlin, DE
Posts: 28
Thanked 1 Time in 1 Post
Default multiple ftp accounts into one folder - workaround [SOLVED]

Ok. So as you can see, besides samba and it's mod-acl (or whatever it's called) I need to do much more. Part of this 'take over my entire computer' scheem are some ftp accounts. Easy to say, but harder to achieve because these ftp accounts will share the same folder. Here's the schematics:

/mnt
-/folder1
-...
-/folder5

So I need a total of 6 accounts; one for /mnt folder, and one for each sub-folder it containes. Now, browsing through the internet I could not find a way to achieve this (ran into some problems). First I created the "master" account wich points directly at /mnt. Tested, working. Now, I create an account for each of /mnt's child-folders; cannot connect through ftp whatever I do; no logs/nothing (pure-ftpd with unix authentification). Could not solve this in any way. If any of you have any ideas, do tell. Meen whille I'm on the tail of why doesn't my ftp daemon print anything with '-dd' option set.


So I did a workaround. This consists of 5 ftp accounts pointing at somewere else (I choose /home/ftpacounts/'name') and creating a symbolic link to each folder. It works, yes. However, I'm not satisfied with the way i've done it. I believe that there is (or should be) a "cleaner" way of achieving this. Unfortunatelly, I was unable to find it/figure it out (yet).

Last edited by da1; 3rd April 2009 at 10:17 PM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
samba and OpenBSD 4.4 mfaridi OpenBSD Packages and Ports 5 24th November 2008 09:46 PM
Samba Server on FreeBSD 6.1 MiniStrange FreeBSD General 1 8th August 2008 02:57 PM
Samba + acl bichumo General software and network 0 30th June 2008 09:49 AM
samba problem sniper007 FreeBSD Ports and Packages 3 22nd June 2008 05:59 PM
Samba NOT STARTING pcfxer FreeBSD General 11 13th May 2008 09:29 AM


All times are GMT. The time now is 12:41 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick