Find the answer to your Linux question:
Results 1 to 7 of 7
Hey so I'm stuck here. I'm trying to switch from a Windows Server 2003 (NTFS drives) to a Ubuntu (ext3). This server is mainly a file server, and has very ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2005
    Posts
    54

    Unhappy File Permissions - Windows vs. *NIX


    Hey so I'm stuck here.

    I'm trying to switch from a Windows Server 2003 (NTFS drives) to a Ubuntu (ext3).
    This server is mainly a file server, and has very granular definitions for groups/users and effectively file permissions on the files.


    NTFS has LOTS of settings which can be set...
    NTFS Permissions

    UNIX with the 'basic' setting doesn't even come close. In fact the basic is closer to the old FAT32 filesystem in Windows...
    http://www.linuxforums.org/security/...rmissions.html

    Even with ACL's installed into an ext3 filesystem, it still does not match the power of NTFS filesystem.



    I would REALLY like to switch from Windows to Linux, but if linux can't match NTFS' granularity of file permissions....it doesn't make sense to switch over the file server...


    ----
    Specific Examples: (Made up to prove my point)
    Groups:
    - limited (only has network access)
    - full (only has network access, but more WRITE abilities in certain dirs)
    - administrators (local logon enabled, full network access)

    Directories:
    - C:\blah1
    - D:\blah2

    blah1 - administrators have FULL ACCESS, full has READ/EXECUTE, and limited is NO ACCESS
    - CAN be done with ACLs. Cool!

    blah2 - admins have FULL ACCESS, full and limited have READ/EXECUTE, BUT...on FILES ONLY, limited has NO ACCESS. (therefore 'limited' can browse directories, but NOT read/execute files...
    - There's no way to do the blah2 portion with ACLs ...


    Another annoying thing with ACLs...there's no "Apply to all sub containers"...??

    If someone could please prove me wrong, it would be greatly appreciated.

    Thanks

    EDIT: NOTE: I'm using eiciel ACL editor for built in nautilus support (GNOME)..can't even find a different alternative here...

  2. #2
    Just Joined! SuSEholic's Avatar
    Join Date
    Apr 2007
    Posts
    28
    blah2 - admins have FULL ACCESS, full and limited have READ/EXECUTE, BUT...on FILES ONLY, limited has NO ACCESS. (therefore 'limited' can browse directories, but NOT read/execute files...
    - There's no way to do the blah2 portion with ACLs ...
    Not really, this will do:
    Code:
    setfacl -m g:admins:rwx -R blah2
    setfacl -m g:full:r-x -R blah2
    setfacl -m d:g:limited:r-- -R blah2
    Well, actually, for 'limited', you must create some script to apply different permission for files and folders, I don't include it, since I haven't learn any bash scripting. But your criteria can be achieve in linux. (Expert help needed to write the script or give better approach in here).

    Another annoying thing with ACLs...there's no "Apply to all sub containers"...??
    I once used eiciel, but it was a long time ago, and I totally forgot, but you can surely apply the permission to sub directory, using this command:
    Code:
    setfacl -m g:admins:rwx -R blah1
    To add a default permission for a newly created folder / files, do this:
    Code:
    setfacl -m d:g:admins:rwx -R blah1
    This codes are just example, you can get more by RTFM of setfacl or getfacl.
    Code:
    man setfacl getfacl
    Last edited by SuSEholic; 05-12-2007 at 03:59 PM. Reason: fix wrong syntax.

  3. #3
    Just Joined!
    Join Date
    Jan 2005
    Posts
    54
    Thanks so much for your reply,

    So I suppose ultimately the eiciel GUI simply can't do all that the command line can do at this time.

    Two questions at this point I guess,

    1 - It would be convenient to set the "base" ACLs on a directory using eiciel, then apply them recursively to all existing sub dirs/files.

    Steps:
    1. Set ACLs using eiciel
    2. Command
      Code:
      getfacl base_dir | sudo setfacl -R --set=- base_dir


    The above 'seems' to work, any problems that you can see?

    2 - Default ACLs
    Setting default ACLs on a directory allows anything created within this 'base_dir" to 'inherit' the ACL of its parent_dir.

    Steps:
    1. Using eiciel, create such 'defaults' as your base ACL config on a base_dir
    2. Create a new directory within the base_dir, - 'test_dir'
    3. Create a new directory within the test_dir, - 'test_inner_dir'


    Screenshot-1.jpg

    Success! The above works for DIRECTORIES, but when I try to create files... for some reason the default mask doesn't carry though on the EXECUTE portion...how to fix this?

    Screenshot.jpg
    Last edited by Fermulator; 05-12-2007 at 03:27 PM. Reason: Formatting,

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Jan 2005
    Posts
    54
    Also, just to show an example, checkout the windows permissions for one of the directories...

    Since more than one group has specified permissions....ACLs are definately required...

    advanced_security.JPG

  6. #5
    Just Joined!
    Join Date
    Jan 2005
    Posts
    54
    This is actually a very good read....

    Read a bit already...it will probably answer all of my questions.
    POSIX Access Control Lists on Linux

  7. #6
    Just Joined!
    Join Date
    Jan 2005
    Posts
    54

    Thumbs down

    Interesting restriction:

    ACLs allow for more complicated permission models than the traditional permission implementation permits. They are a welcome and necessary addition an administrator's arsenal, but their current implementation has some limitations. Finer control of users' rights, such as restricting the ability to create or delete files while allowing write access and setting append-only or immutable permissions through ACLs, would be useful.
    Linux.com | POSIX ACLs in Linux

    This is unfortunate...as the ability to CREATE files, but not DELETE them, is something very useful for an upload folder in a samba share for example...Does anyone know how to do this?

  8. #7
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Quote Originally Posted by Fermulator
    the ability to CREATE files, but not DELETE them, is something very useful for an upload folder in a samba share for example...Does anyone know how to do this?
    You may be able to do this with extended attributes (works on ext2 / ext3 filesystems).

    Example:
    Code:
    [e@dosequis ~]$ mkdir fun-directory
    [e@dosequis ~]$ sudo chattr +a fun-directory
    [e@dosequis ~]$ touch fun-directory/file1
    [e@dosequis ~]$ touch fun-directory/another1
    [e@dosequis ~]$ rm fun-directory/another1 
    rm: cannot remove `fun-directory/another1': Operation not permitted
    See man 1 chattr and man 1 lsattr for details.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •