ACL 始终设置文件的组执行权限 (Samba)

tag-icon tag-icon samba chmod acl chown setfacl
ACL 始终设置文件的组执行权限 (Samba)

我在“sambashare”组中有一些用户,在“sambashareAdmin”组中有一些用户。只有“sambashareAdmin”组的用户才被允许更改/创建内容。

所有文件都应属于 haegarthehorrible:sambashare。无论我是在服务器上创建它们还是将它们移动/复制到服务器。

问题是,如果 Windows 工作站用户(天堂)执行此操作,则所有文件都会获得组 (670/-rw-rwx---) 的执行权限,而不是 660/-rw-rw----。

我尝试在 samba 中使用 yes 和 no 来“遵守 pam 限制”,这没有什么区别。我还尝试了“创建掩码”和“目录掩码”或“强制创建模式和“强制目录模式”或两者一起尝试。

我尝试了 chmod g+s 和 g+s,u+s。

我尝试过复杂的东西,例如:

~$ sudo chmod -R a-x,u=rX,g=rX,u+w,g+w /mnt/pool/Share/Backup
~$ sudo chmod -R a-x,u=rwX,g=rwX /mnt/pool/Share/Backup

而且有趣的是,如果我使用“rwX”而不是“rw”(chmod 或 setfacl),我会在所有者权限上执行。我以为 X 只在目录上设置它?

所以现在看起来非常复杂,但仍然不起作用。请记住,这些都是已包含文件/目录的目录。

~$ sudo nano /etc/samba/smb.conf
[global]
   server string = Harvester
   server role = standalone server
   server min protocol = SMB2
   workgroup = WORKGROUP
   interfaces = lo enp0s31f6
   bind interfaces only = yes
   logging = file
   log file = /var/log/samba/log.%m
   max log size = 1000
   load printers = no
   show add printer wizard = no
   disable netbios = yes
   dns proxy = no
   deadtime = 30
   smb ports = 445
   smb encrypt = off
   security = user
   obey pam restrictions = yes
   panic action = /usr/share/samba/panic-action %d
   use sendfile = yes
   directory mask = 2750
   create mask = 0640
   access based share enum = yes
   map to guest = bad user
   guest account = shareguest

[Backup]
   path = /mnt/pool/Share/Backup
   guest ok = no
   browseable = no
   create mask = 0660
   directory mask = 2770
   force group = sambashare
   force user = haegarthehorrible
   write list = @sambashareAdmin
   valid users = haegarthehorrible paradise
   inherit acls = Yes

设置权限:

~$ sudo chown -R haegarthehorrible:sambashare /mnt/pool/Share/Backup
~$ sudo setfacl -R -b -k -n /mnt/pool/Share/Backup                         # Remove ACL
~$ sudo chmod -R g+s,u+s /mnt/pool/Share/Backup
~$ sudo chmod 0770 /mnt/pool/Share/Backup
~$ sudo find /mnt/pool/Share/Backup -type f -exec chmod 660 {} \;
~$ sudo find /mnt/pool/Share/Backup -type d -exec chmod 2770 {} \;
~$ sudo setfacl -R -d -m u::rw,g::rw,u:haegarthehorrible:rw,g:sambashareAdmin:rw /mnt/pool/Share/Backup  # ACL for new items
~$ sudo setfacl -R -m u:haegarthehorrible:rw,g:sambashareAdmin:rw /mnt/pool/Share/Backup                 # ACL for old/existing items

sambashare管理员成员:

~$ members sambashareAdmin
haegarthehorrible paradise

桑巴共享成员:

~$ members sambashare
shareguest watcher

共享根文件夹权限:

~$ ls -ld /mnt/pool/Share
drwxr-xr-x 7 root root 4096 Aug  7  2023 /mnt/pool/Share

~$ stat /mnt/pool/Share
Access: (0755/drwxr-xr-x)  Uid: (0/root)  Gid: (0/root)

~$ getfacl /mnt/pool/Share
# file: mnt/pool/Share
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

分享权限:

~$ ls -ld /mnt/pool/Share/Backup
drwsrws---+ 5 haegarthehorrible sambashare 4096 Apr 25  2022 /mnt/pool/Share/Backup

~$ stat /mnt/pool/Share/Backup
Access: (6770/drwsrws---)  Uid: (1000/haegarthehorrible)  Gid: (996/sambashare)

~$ getfacl /mnt/pool/Share/Backup
# file: mnt/pool/Share/Backup
# owner: haegarthehorrible
# group: sambashare
# flags: ss-
user::rwx
group::rwx
other::---
default:user::rw-
default:user:haegarthehorrible:rw-
default:group::rw-
default:group:sambashareAdmin:rw-
default:mask::rw-
default:other::---

文件权限:

~$ ls -l /mnt/pool/Share/Backup/Test.txt
-rw-rwx---+ 1 haegarthehorrible sambashare 0 Feb 11 07:18 /mnt/pool/Share/Backup/Test.txt

~$ stat /mnt/pool/Share/Backup/Test.txt
Access: (0670/-rw-rwx---)  Uid: (1000/haegarthehorrible)  Gid: (996/sambashare)

~$ getfacl /mnt/pool/Share/Backup/Test.txt
# file: mnt/pool/Share/Backup/Test.txt
# owner: haegarthehorrible
# group: sambashare
user::rw-
user:haegarthehorrible:rw-
group::rw-
group:sambashare:rw-
group:sambashareAdmin:rw-
mask::rwx
other::---

相关内容