Understanding Linux Security and Groups

[Windaria]

OK... I am trying to understand the linux file-sharing/security/networking model... it seems like for every file/directory/whatever you can assign/set the rights/privlidges for user/group/everyone. Now... this model seems exceptionally limited to me so I am trying to figure out if I understand it correctly, because I am sure that I do not.

For example, let us say that you had a reasonably sized corporation where you had several groups. For this example, let us say cats, dogs, owners, and food. Then let us say you had several shares, cat bed, dog house, owner house.

Now... food is just the food, it shouldn't have access to any of those shares, cats should have access to the cat bed share only, dogs should have access to the dog house only, but neither of those groups should have access to the owner house, and the owner house should have access to all 3 shares.

How could you even set something like that up? Particularly if there were multiple owners in each?

Now that I have asked that question, which I just want to understand on a more philosophical level (because I really am curious, I am hoping to move away from Windows completely as soon as I can, I do NOT like the direction that M$ is heading...), I have a more specific question...

I have migrated my domain controller from Windows 2000 to Linux and have samba and everything working so I can share files. The problem is, I have several users and each time they write a file, files do not seem to inherit the permissions of the directory they are in by default. It seems that they always seem to have the permissions set so that only the user that creates/whatever the file has the access to move or delete it, but I want all users to have administrative privlidges for now (this is in my house, so it is just me and my wife, the moment a kid comes along we may have to adjust that a bit...)

How can I set the default permissions for files that are created on the network? I mean, I don't want everyone to have privlidges to them, such as any guest users or anything... but we are both in the same group that I created for us so at the least I want that group to have all privlidges, by default, on the shared network drives...

How does one manage this?

[Windaria]

For that matter, every time (even when it appears as if I have the permissions to delete files and such), when I delete files half the time it looks like they are deleted, they go away and all, then I refresh and they are there again... why is this happening?

[retired1af]

You're trying to comprehend the whole picture at once, and for a novice just learning the ropes of groups and permissions, it can be a daunting task.

Break it down into easier bites.

First thing to remember is your permissions are inherited downward through the directory tree. Anything you grant in one directory, will be inherited through each subdirectory.

Let's say we have 4 directories we need to work with. They're all on the same level in the directory structure. We'll call them:

Finance
Personnel
Data
Forms

And we have 4 groups, Finance, HR, Bosses, and Flunkies

Bosses get access to everything.
Finance needs access to Finance, Forms, and Data
HR needs access to Personnel, Forms, and Data
Flunkies need access to Data and Forms.

Now it's just a matter of assigning the permissions to each group, which should be easy at this point.

The thing to remember, is you need to pay close attention to what each group has access to. As you can assign an individual to multiple usergroups, you could easily grant access to something you don't want them to have.

What you need to do at this point is ensure that each group can read and write to all files in that particular directory. Make sure you assign based on group membership, rather than individuals, as you won't be able to modify something that another user has placed in there.

[Windaria]

But how can more than one group be assigned to a folder?

[Xenon]

Only one group can be assigned to a directory but a user can be added to multiple groups. Let me show this based on the first example:

First create a group for each of these directories:
cat bed => catbed
dog house => doghouse
owner house => ownerhouse
food => food

Then add users to the required groups:
food => food
cats => catbed
dogs => doghouse
owners => catbed, doghouse, ownerhouse, food


Hope that makes sense

[retired1af]

Only one group can be assigned to a directory but a user can be added to multiple groups. Let me show this based on the first example:

When using ACL, multiple groups can be assigned to a directory. Here's a detailed guide on using ACL.

[Xenon]

Ta for that, I've learnt something new

[Windaria]

So is this ACL a default function, or is it an add-on that someone has created? I mean, I haven't seen any GUI for this... and for that matter, is it a SUSE only thing? Sorry if these questions seem inane, I am an absolute linux newbie.

Beyond that, any idea as to the second part of my original post, regarding the non-theoretical stuff?