Exporting Linux shares to Linux clients with no per-share group authentication and no permission issues

by

Given one Linux server, and many Linux clients, I need to export some shared directories from the server. The behavior I want to obtain is really simple: a group of users can use a shared space on the server, without having to worry about the existence of UNIX file permissions. If I were in a Windows world, I would just share the directory as r/w, add the users to the permission list, and boom, it’s done.

But, in the Linux world, I don’t know how to obtain this:

  1. Each shared directory can be mounted only by a subset of users, identified by a group (user/groups/logins are all handled through centralized LDAP). So eg. the share “/var/foobar” on the server must be accessible (read/write) only by members of LDAP group “foobar”.
  2. Users must be able to create/modify/delete directories, files, etc. on the share with full access, provided they are in the right group.
  3. Users must be unable to screw permissions of files/directories in a share in a way that other users of the share cannot access them anymore. Big stress on an unable.

The problem with requirement #3 is that there are many Linux applications that like to screw permissions by ignoring the umask and/or forcing a chmod/chgrp after touching a file. Notable examples are Nautilus and OpenOffice.

Failed experiments:

  • NFS: tried in different ways, but if I squash I cannot authenticate, and if I authenticate and user tries to copy a directory with Nautilus, permissions are screwed.
  • NFS + ACL setgid. Still screwable through standard desktop programs doing standard operations that somehow end up forcing a chmod or chgrp.
  • sshfs/sftp-server: there doesn’t not seem to be a simple way to avoid calls to chmod/chgrp. There is a patch floating around that allows to block chmod/chgrp but it returns errors to the client that complains to the user. Looks like I could patch the patch to silently ignore chmod/chgrp, but I am already using SFTP on that server for other reasons and there does not seem to be a simply way to define different behaviors for different directories.

Would Samba help somehow? Other solutions?

Answer

Samba with force group and force create mode could work.

Attribution
Source : Link , Question Author : Giovanni Bajo , Answer Author : Paweł Brodacki

Leave a Comment