File Permissions - Windows vs. *NIX

[Fermulator]

Hey so I'm stuck here.

I'm trying to switch from a Windows Server 2003 (NTFS drives) to a Ubuntu (ext3).
This server is mainly a file server, and has very granular definitions for groups/users and effectively file permissions on the files.


NTFS has LOTS of settings which can be set...
NTFS Permissions

UNIX with the 'basic' setting doesn't even come close. In fact the basic is closer to the old FAT32 filesystem in Windows...
http://www.linuxforums.org/security/...rmissions.html

Even with ACL's installed into an ext3 filesystem, it still does not match the power of NTFS filesystem.



I would REALLY like to switch from Windows to Linux, but if linux can't match NTFS' granularity of file permissions....it doesn't make sense to switch over the file server...


----
Specific Examples: (Made up to prove my point)
Groups:
- limited (only has network access)
- full (only has network access, but more WRITE abilities in certain dirs)
- administrators (local logon enabled, full network access)

Directories:
- C:\blah1
- D:\blah2

blah1 - administrators have FULL ACCESS, full has READ/EXECUTE, and limited is NO ACCESS
- CAN be done with ACLs. Cool!

blah2 - admins have FULL ACCESS, full and limited have READ/EXECUTE, BUT...on FILES ONLY, limited has NO ACCESS. (therefore 'limited' can browse directories, but NOT read/execute files...
- There's no way to do the blah2 portion with ACLs ...


Another annoying thing with ACLs...there's no "Apply to all sub containers"...??

If someone could please prove me wrong, it would be greatly appreciated.

Thanks

EDIT: NOTE: I'm using eiciel ACL editor for built in nautilus support (GNOME)..can't even find a different alternative here...

[SuSEholic]

blah2 - admins have FULL ACCESS, full and limited have READ/EXECUTE, BUT...on FILES ONLY, limited has NO ACCESS. (therefore 'limited' can browse directories, but NOT read/execute files...
- There's no way to do the blah2 portion with ACLs ...

Not really, this will do:

Code:

setfacl -m g:admins:rwx -R blah2
setfacl -m g:full:r-x -R blah2
setfacl -m d:g:limited:r-- -R blah2

Well, actually, for 'limited', you must create some script to apply different permission for files and folders, I don't include it, since I haven't learn any bash scripting. But your criteria can be achieve in linux. (Expert help needed to write the script or give better approach in here).

Another annoying thing with ACLs...there's no "Apply to all sub containers"...??

I once used eiciel, but it was a long time ago, and I totally forgot, but you can surely apply the permission to sub directory, using this command:

Code:

setfacl -m g:admins:rwx -R blah1

To add a default permission for a newly created folder / files, do this:

Code:

setfacl -m d:g:admins:rwx -R blah1

This codes are just example, you can get more by RTFM of setfacl or getfacl.

Code:

man setfacl getfacl

[Fermulator]

Thanks so much for your reply,

So I suppose ultimately the eiciel GUI simply can't do all that the command line can do at this time.

Two questions at this point I guess,

1 - It would be convenient to set the "base" ACLs on a directory using eiciel, then apply them recursively to all existing sub dirs/files.

Steps:

1. Set ACLs using eiciel
2. Command
   
   Code:

   getfacl base_dir | sudo setfacl -R --set=- base_dir

The above 'seems' to work, any problems that you can see?

2 - Default ACLs
Setting default ACLs on a directory allows anything created within this 'base_dir" to 'inherit' the ACL of its parent_dir.

Steps:

1. Using eiciel, create such 'defaults' as your base ACL config on a base_dir
2. Create a new directory within the base_dir, - 'test_dir'
3. Create a new directory within the test_dir, - 'test_inner_dir'

Screenshot-1.jpg

Success! The above works for DIRECTORIES, but when I try to create files... for some reason the default mask doesn't carry though on the EXECUTE portion...how to fix this?

Screenshot.jpg

[Fermulator]

Also, just to show an example, checkout the windows permissions for one of the directories...

Since more than one group has specified permissions....ACLs are definately required...

advanced_security.JPG

[Fermulator]

This is actually a very good read....

Read a bit already...it will probably answer all of my questions.
POSIX Access Control Lists on Linux

[Fermulator]

Interesting restriction:

ACLs allow for more complicated permission models than the traditional permission implementation permits. They are a welcome and necessary addition an administrator's arsenal, but their current implementation has some limitations. Finer control of users' rights, such as restricting the ability to create or delete files while allowing write access and setting append-only or immutable permissions through ACLs, would be useful.

Linux.com | POSIX ACLs in Linux

This is unfortunate...as the ability to CREATE files, but not DELETE them, is something very useful for an upload folder in a samba share for example...Does anyone know how to do this?

[anomie]

the ability to CREATE files, but not DELETE them, is something very useful for an upload folder in a samba share for example...Does anyone know how to do this?

You may be able to do this with extended attributes (works on ext2 / ext3 filesystems).

Example:

Code:

[e@dosequis ~]$ mkdir fun-directory
[e@dosequis ~]$ sudo chattr +a fun-directory
[e@dosequis ~]$ touch fun-directory/file1
[e@dosequis ~]$ touch fun-directory/another1
[e@dosequis ~]$ rm fun-directory/another1 
rm: cannot remove `fun-directory/another1': Operation not permitted

See man 1 chattr and man 1 lsattr for details.