ACL, Samba ACL, FTP acl

[da1]

Hell-o you gurus

First, grab a cup of tea/coffee, because this is a long reading.

Info:
FreeBSD 7.1-STABLE
pure-ftpd-1.0.21_4
samba-3.2.8

Now, starting from the tail, this is what I, eventually, want to get at: several accounts (ftpadmin, smbadmin and some more limited ftp accounts) that all have the same parent folder (and some child folders as well) and wich each cp/mv action whatever account makes, all files *will* eventually end up on disk with root:wheel ownage and 770 perm.

I have a folder named /mnt. On this folder I enabled acl.

Code:

# file: mnt
# owner: root
# group: wheel
user::rwx
user:root:rwx
user:smbadmin:rwx
user:ftpadmin:rwx
group::---
mask::rwx
other::---

ls -allh

Code:

drwxrwx---+  8 root  wheel      512B Apr  1 14:18 mnt

As you can see I have a "smbadmin" account. This account has rwx and this it what it does. Together with samba's mod-acl (or whatever it's called) it allowes me to rwx files from a win xp box. Also, when I copy files through samba, files end up with parent unix folder permisions, ownage (root:wheel and 770 - this is recursively ) and also inherit ACL. (viewable as the "+" thinghy). I whant the same for the "ftpadmin" account.

1)Now, thinking samba-like, beetween ftp and the sistem acl there should be a midleman (like samba mod-acl) that converts file ownage from smbadmin(eventually ftpadmin) to root:wheel. Had no luck with that, didn't find no modules/script capable of that.Maybe samba works in some other way that I didn't figure out.

2)Next, I've read about execution bits and applyes these commands

Code:

chmod -R u+s /mnt
chmod -R g+s /mnt

This thing half-solved the problem. In the way that all files/folders created ftom ftp (ftpadmin) ended up on disk being owned by the "wheel" group. Unfortunatelly, the user remained "ftpadmin", and did not inherit ACL (no "+" at end of file permision on "ls -all") No luck with this one either. Maybe misread/misinterprited/misapplyed these commands?

3)Next, followed the crumbs of a ACL permision inheritance for newly created/cp'd/mv'd files. Did some reading and found a thing that I think will solve all my problems, the "default:user::" ACL entry. Unfortunatelly, in FreeBSD this is incorect. I latter read/succesfully tryed these settings on solaris.

So you see, I'm in a bit of a confused state of mind. Have no ideea wich path to take (the ftp samba-like midleman, the chmod way, or maybe the 3rd way of forcing all new files in the /mnt folder to have specific ownage and permisions). To my brain, the 3rd way should be the way to go, but am in definatelly need of some guidance/books something.

In other words...uhm... help !?

[da1]

All this works from a ssh session logged in as root. If I create a file through FTP with ftpadmin usr, newly create files and/or folders still belong to ftpadmin:wheel, but because ACL inherits above permisions it is accessible (rwx) by the smbadmin usr

After googleing for 2 minutes I came across an article that explained the situation (http://www.onlamp.com/pub/a/bsd/2003...ebsd_acls.html).

So basicly " Default ACLs don't work quite like regular ACLs do. You cannot set specific entries on a default ACL until you add the generic user::, group::, and other:: entries."

thus

Code:

setfacl -d -m u::rwx,g::rwx,o::---,m::rwx,u:smbadmin:rwx,u:ftpadmin:rwx,m::rwx mnt

this also "inherits" the parent ACL (-d = "The operations apply to the default ACL entries instead of access ACL entries" <- quoted from the manual). This I didn't know. I had no ideea that in fact there were 2 ACL entryes, a default ACL entry and a access ACL entry.
This unfortunatelly has a draw back (either that or I didn't do something correctly). The drawback is that "getfacl [folder]" doesn't provide an output similar to solaris. This is what I mean... On solaris one would have (notice the default options)

Code:

# file: muzica
# owner: root
# group: wheel
user::rwx
user:smbadmin:rwx
user:ftpadmin:rwx
group::---
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::rwx
default:group:wheel:rwx
default:other:---

but on FreeBSD (getfacl [file])I have

Code:

# file: muzica
# owner: root
# group: wheel
user::rwx
user:smbadmin:rwx
user:ftpadmin:rwx
group::---
mask::rwx
other::---

There is no mistake here. On FreeBSD in order to see the default ACL entry one must use "getfacl -d [folder]" instead of simply "getfacl [folder]"


Thus "mkdir test" in /mnt folder provides

Code:

drwxr-x---+  2 root  wheel   512 Apr  1 19:40 test

with that nice looking "+" symbolizing the "inherit" of ACL.Now let's get the acl of that dir to see if it did inherit

Code:

[da1@da1.ro /mnt]# getfacl test
# file: test
# owner: root
# group: wheel
user::rwx
user:smbadmin:rwx               
user:ftpadmin:rwx               
group::rwx              
mask::rwx
other::---

So yes, it did inherit it.

Now, I only set these options for the /mnt folder, if I cd into it, and then into another folder (say /mnt/test) and whant to create another folder (say /mnt/test/test2) this folder will NOT inherit /mnt's ACL. I need to recursively setfacl for all /mnt's subdirectoryes. Remember that long command I did? gotta use it again and this time the total command will be a blast. Here's what to do to apply something recusively:

Now, before the fun, I remember the manual saing something about the "-d" option and that was that "Currently only directories may have default ACL's". With that in mind, I set out to setfacl recursevly only for directories, like so:

Code:

find /mnt -type d -exec setfacl -d -m u::rwx,g::rwx,o::---,m::rwx,u:smbadmin:rwx,u:ftpadmin:rwx,m::rwx {} \;

use the WHOLLE comand (especially the \; (backslash and semicolon)).This particular command will load your hdd until it is finished, but don't panic, it's normal.
All done, let's see

cd into /mnt/programe (programe means programs ) and create a folder

Code:

[da1@da1.ro /mnt]# cd programe
[da1@da1.ro /mnt/programe]# mkdir test5
[da1@da1.ro /mnt/programe]# ls -all | grep test5
drwxr-x---+  2 root  wheel        512 Apr  1 19:54 test5
[da1@da1.ro /mnt/programe]#

Success!


Now let's see the files part. Acording to the manual I cannot set a default ACL for files.

Code:

[da1@da1.ro /mnt]# :> filetest
[da1@da1.ro /mnt]# ls -all | grep filetest
-rw-r-----+  1 root  wheel     0 Apr  1 19:56 filetest
[da1@da1.ro /mnt]# getfacl filetest
# file: filetest
# owner: root
# group: wheel
user::rw-
user:smbadmin:rwx               
user:ftpadmin:rwx               
group::rwx              
mask::rwx
other::---
[da1@da1.ro /mnt]#

Same happens wherever I cd into /mnt. Wherever I create files and/or folders they inherit the parent's ACL. However, on already created files I cannot set default ACL, only access ACL. So if one would whant to add a user to all files in a folder (so that that user would have some permision) they would need

Code:

find /mnt -type f -exec setfacl -m u:usr:---,g:grp:---,m::--- {} \;

you get the picture

All this works from a ssh session logged in as root. If I create a file through FTP with ftpadmin usr, newly create files and/or folders still belong to ftpadmin:wheel, but because ACL inherits above permisions it is accessible (rwx) by the smbadmin usr

[da1]

All this works from a ssh session logged in as root. If I create a file through FTP with ftpadmin usr, newly create files and/or folders still belong to ftpadmin:wheel, but because ACL inherits above permisions it is accessible (rwx) by the smbadmin usr

After googleing for 2 minutes I came across an article that explained the situation (http://www.onlamp.com/pub/a/bsd/2003...ebsd_acls.html).

So basicly " Default ACLs don't work quite like regular ACLs do. You cannot set specific entries on a default ACL until you add the generic user::, group::, and other:: entries."

thus

Code:

setfacl -d -m u::rwx,g::rwx,o::---,m::rwx,u:smbadmin:rwx,u:ftpadmin:rwx,m::rwx mnt

this also "inherits" the parent ACL (-d = "The operations apply to the default ACL entries instead of access ACL entries" <- quoted from the manual). This I didn't know. I had no ideea that in fact there were 2 ACL entryes, a default ACL entry and a access ACL entry.
This unfortunatelly has a draw back (either that or I didn't do something correctly). The drawback is that "getfacl" doesn't provide an output similar to solaris. This is what I mean... On solaris one would have

Code:

# file: muzica
# owner: root
# group: wheel
user::rwx
user:smbadmin:rwx
user:ftpadmin:rwx
group::---
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::rwx
default:group:wheel:rwx
default:other:---

but on FreeBSD I have

Code:

# file: muzica
# owner: root
# group: wheel
user::rwx
user:smbadmin:rwx
user:ftpadmin:rwx
group::---
mask::rwx
other::---

Again, maybe I screw up somewere, but "default" works. ACL is inherited; and that's the wholle purpose of that.


Thus "mkdir test" in /mnt folder provides

Code:

drwxr-x---+  2 root  wheel   512 Apr  1 19:40 test

with that nice looking "+" symbolizing the "inherit" of ACL.Now let's get the acl of that dir to see if it did inherit

Code:

[da1@da1.ro /mnt]# getfacl test
# file: test
# owner: root
# group: wheel
user::rwx
user:smbadmin:rwx               
user:ftpadmin:rwx               
group::rwx              
mask::r-x
other::---

So yes, it did inherit it.

Now, I only set these options for the /mnt folder, if I cd into it, and then into another folder (say /mnt/test) and whant to create another folder (say /mnt/test/test2) this folder will NOT inherit /mnt's ACL. I need to recursively setfacl for all /mnt's subdirectoryes. Remember that long command I did? gotta use it again and this time the total command will be a blast. Here's what to do to apply something recusively:

Now, before the fun, I remember the manual saing something about the "-d" option and that was that "Currently only directories may have default ACL's". With that in mind, I set out to setfacl recursevly only for directories, like so:

Code:

find /mnt -type d -exec setfacl -d -m u::rwx,g::rwx,o::---,m::rwx,u:smbadmin:rwx,u:ftpadmin:rwx,m::rwx {} \;

use the WHOLLE comand (especially the \; (backslash and semicolon)).This particular command will load your hdd until it is finished, but don't panic, it's normal.
All done, let's see

cd into /mnt/programe (programe means programs ) and create a folder

Code:

[da1@da1.ro /mnt]# cd programe
[da1@da1.ro /mnt/programe]# mkdir test5
[da1@da1.ro /mnt/programe]# ls -all | grep test5
drwxr-x---+  2 root  wheel        512 Apr  1 19:54 test5
[da1@da1.ro /mnt/programe]#

Success!


Now let's see the files part. Acording to the manual I cannot set a default ACL for files.

Code:

[da1@da1.ro /mnt]# :> filetest
[da1@da1.ro /mnt]# ls -all | grep filetest
-rw-r-----+  1 root  wheel     0 Apr  1 19:56 filetest
[da1@da1.ro /mnt]# getfacl filetest
# file: filetest
# owner: root
# group: wheel
user::rw-
user:smbadmin:rwx               
user:ftpadmin:rwx               
group::rwx              
mask::rwx
other::---
[da1@da1.ro /mnt]#

Same happens wherever I cd into /mnt. Wherever I create files and/or folders they inherit the parent's ACL. However, on already created files I cannot set default ACL, only access ACL. So if one would whant to add a user to all files in a folder (so that that user would have some permision) they would need

Code:

find /mnt -type f -exec setfacl -m u:usr:---,g:grp:---,m::--- {} \;

you get the picture

All this works from a ssh session logged in as root. If I create a file through FTP with ftpadmin usr, newly create files and/or folders still belong to ftpadmin:wheel, but because ACL inherits above permisions it is accessible (rwx) by the smbadmin usr

[da1]

Ok. So as you can see, besides samba and it's mod-acl (or whatever it's called) I need to do much more. Part of this 'take over my entire computer' scheem are some ftp accounts. Easy to say, but harder to achieve because these ftp accounts will share the same folder. Here's the schematics:

/mnt
-/folder1
-...
-/folder5

So I need a total of 6 accounts; one for /mnt folder, and one for each sub-folder it containes. Now, browsing through the internet I could not find a way to achieve this (ran into some problems). First I created the "master" account wich points directly at /mnt. Tested, working. Now, I create an account for each of /mnt's child-folders; cannot connect through ftp whatever I do; no logs/nothing (pure-ftpd with unix authentification). Could not solve this in any way. If any of you have any ideas, do tell. Meen whille I'm on the tail of why doesn't my ftp daemon print anything with '-dd' option set.


So I did a workaround. This consists of 5 ftp accounts pointing at somewere else (I choose /home/ftpacounts/'name') and creating a symbolic link to each folder. It works, yes. However, I'm not satisfied with the way i've done it. I believe that there is (or should be) a "cleaner" way of achieving this. Unfortunatelly, I was unable to find it/figure it out (yet).