topic Re: assign multiple groups to a folder :( in Operating System - Linux

assign multiple groups to a folder :(

iinfi1 — Thu, 16 Jul 2009 11:05:18 GMT

hi all

is it possible to assign multiple groups to a folder?

eg i have a folder /shared
i want the folder to be accessible by users from groups g1,g2,g3.

i can add a user to multiple groups but cannot assign a file/folder to multiple groups.
case:
i am in the process of creating a linux server which is joined to windows AD domain.
windows desktop users who are authenticated with the windows AD are directed to shared folders on the linux file server.
i have say, share1 share2 share3 mapped to IT, Finance, Sales depts.

so in case i need to share the folder share2 with heads of IT and Finance and other members of the management, then its better off to add the head of IT and Finance to the folder group and add the group containing the members of the management to the folder group.
hope i am making it clear.
any clues?

Re: assign multiple groups to a folder :(

Ivan Ferreira — Thu, 16 Jul 2009 11:48:33 GMT

You should try to keep access rights by using just group membership and default group permissions for the folder.

If you cannot accomplish what you desire with this, then you must use ACLs. Check the setfacl/getfacl commands.

Re: assign multiple groups to a folder :(

Steven E. Protter — Thu, 16 Jul 2009 12:33:06 GMT

Shalom,

ACL is the way to go.

http://www.suse.de/~agruen/acl/chapter/fs_acl-en.pdf

http://www.vanemery.com/Linux/ACL/linux-acl.html

I'm not a big fan of ACL, but this is how it should work.

SEP

Re: assign multiple groups to a folder :(

iinfi1 — Thu, 16 Jul 2009 15:10:18 GMT

thank you ivan and steven.
i will check how ACLs work here in my case.

you said "i am not a fan of ACLs"
is it because management becomes difficult with ACLs?

if i get you both right, you mean i sud use file and group permissions and only in cases where it doesnt fulfill my requirement, i sud use ACLs. am i right?

Re: assign multiple groups to a folder :(

Ivan Ferreira — Thu, 16 Jul 2009 19:52:57 GMT

>>> is it because management becomes difficult with ACLs?

Yes, first of all, you cannot identify which permissions are in effect without checking with getfacl. You mus ensure that your backup tool supports ACLs saving and restoring. When you copy/move/restore a file, you mus ensure that ACLs are retained.

Also, you must take special care with defaults ACLs for new files.

>>> if i get you both right, you mean i sud use file and group permissions and only in cases where it doesnt fulfill my requirement, i sud use ACLs. am i right?

That is just my opinion and may be different for others.

The question is, why IT, Finance and Sales should share the same folder with full control each one? I mean, it's logical for the finances folder to give full access to finance group, but sales group should not have full access.

In that case, if you need a "shared" directory, create a new one, with a group "shared" as the owner, and users members of finance;shared or sales:shared.

They will have their own folder (secure) and a shared folder.

Re: assign multiple groups to a folder :(

dirk dierickx — Mon, 20 Jul 2009 12:09:33 GMT

you need to reverse your logic and your problem is solved.

create a new group, add all required users to this group, make this new group owner of the mentioned directory. problem solved.

you could fiddle around with acl's as well (as mentioned in previous posts), but i prefer not to use those until really hard and specific right management comes into place (which is hardly the case).

Re: assign multiple groups to a folder :(

iinfi1 — Mon, 20 Jul 2009 14:42:43 GMT

thank you all :)

Re: assign multiple groups to a folder :(

iinfi1 — Wed, 19 Aug 2009 16:33:05 GMT

i know this is an old thread which i am bumping. apologies if its against forum rules.
now, i have a client for whom i feel i will definitely need to use ACLs.
i am creating a RHEL file server with windows workstation users authenticating from windows AD. i have joined RHEL box with AD (samba+winbind) and mapping drives for users from windows logon scripts.
they have about 300-500 users forming different groups.
Among these groups they have users who will have r-x on certain folders. Certain users who will have rwx on the same set of folders.
the above i feel is not possible to achieve without ACLs. Correct me if i am wrong.

>> does linux have any good GUI to actually assign these ACLs for users?
The client doesnt have a linux person at his place. i can do the configuring all right with setfacl and check with getfacl, but the client finds it messy.

>> any good backup software which supports backup and restore with ACLs??

any comments welcome
thank you..

Re: assign multiple groups to a folder :(

iinfi1 — Thu, 20 Aug 2009 09:06:57 GMT

i installed KDE where i could set ACLs on the fileserver using the GUI itself.
so that should solve the problem for the time being.

Meanwhile i found a limitation, or more so i am not sure if thats the way ACLs work.

i have a group gr1
i have users in the group u1,u2,u3

Using ACLs, for a folder /shares/it I assign rwx to u1
and --- to gr1.
it still allows u1 rwx access to the folder. my feeling is since gr1 has been restricted access to the folder the restrict access should take precedence over allow access to u1.
could someone please clarify?

Re: assign multiple groups to a folder :(

Steven Schweda — Thu, 20 Aug 2009 09:54:06 GMT

> [...] precedence [...]

ACL = Access Control _List_. What is the
_order_ of the access control entries in the
list? (Which one _precedes_ the other?)

What happens if you change the order?

As usual, showing actual commands with their
actual output can be more helpful than vague
descriptions.

Re: assign multiple groups to a folder :(

iinfi1 — Thu, 20 Aug 2009 10:29:57 GMT

[root@fs ~]# getfacl /shares/it/
getfacl: Removing leading '/' from absolute path names
# file: shares/it
# owner: itadmin
# group: it
user::rwx
user:u1:rwx
user:u2:rwx
user:u3:rwx
user:u5:rwx
user:u6:rwx
group::r-x
group:gr1:---
mask::rwx
other::---

i use setfacl and getfacl to set ACLs
here in the above case i have users u5 and u6 in the group gr1.
as gr1 has no privileges to the folder u5 and u6 also should not have any privileges.
but whn i log in as u5 or u6 i have full rights on the folder.
restrict privileges does not take precedence over the other privileges. :(

Re: assign multiple groups to a folder :(

Ivan Ferreira — Thu, 20 Aug 2009 14:17:40 GMT

In linux, normally the permissions are evaluated starting with user permissions, then no other permissions evaluated, then group permissions, the no permissions, and the other permissions. If you follow that rules for ACLs, then if it's granted to the user, the access will be allowed.

Re: assign multiple groups to a folder :(

iinfi1 — Thu, 20 Aug 2009 14:47:37 GMT

ohhhhhhkkk...
thank you ivan ... thanks a lot

Re: assign multiple groups to a folder :(

iinfi1 — Fri, 21 Aug 2009 01:39:13 GMT

lastly, if the backup software doesnt support ACLs, is it advisable to take a backup of the ACLs in a file and backup that also.
so that if the linux file server crashes we can restore the files from the tape and with the ACL backup, restore the permissions?

getfacl -R /shares/it >> file.txt

and while restoring
setfacl --restore=file.txt