Thursday, 6 December 2018

linux - How to setup nfs share for users with write permissions


We used ubuntu linux on desktops with ldap authentication. Both on server and clients we have identical users and groups.


I've setup nfs server with public share, which should be available for all users with write permissions. E.g one user created file, other be able to remove this file by default.


I have the following requirements:



  1. I do not want to change default umask (0022) on clients machines.

  2. I do not want to use inotify for change permissions when files changed on server, because it slow down network access with a nfs share and works not stable.


How to reproduce:


I create initial folder with default acl's with following permissions for folder directory owned by group inoffice


$ setfacl -m default:g:inoffice:rwx directory/
$ setfacl -m g:inoffice:rwx directory/
$ getfacl directory/

# file: directory/
# owner: root
# group: root
user::rwx
group::r-x
group:inoffice:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::r-x
default:group:inoffice:rwx
default:mask::rwx
default:other::r-x

In theory: 1. This directory must be writeable for users in group inoffice. 2. All new files and dirs inherit group:inoffice:rwx permissions


Suppose we have two users(clients):


user1 with primary group __USERS__ and supplementary group inoffice 
user2 with primary group __USERS__ and supplementary group inoffice

Suppose user1 went into nfs folder directory on it's own machine and created folder named 'folder_user1'


getfacl folder_user1
# file: folder_user1
# owner: user1
# group: user1_group
user::rwx
group::r-x
group:inoffice:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::r-x
default:group:inoffice:rwx
default:mask::rwx
default:other::r-x

Then user2 can delete this folder because of default:group:inoffice:rwx permissions


But if user1 copy directory (instead of create) to directory. Resulting permissions will be:


$ getfacl folder_copied_by_user1
# file: folder_copied_by_user1
# owner: user1
# group: user1_group
user::rwx
group::r-x
group:inoffice:rwx #effective:r-x
mask::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:inoffice:rwx
default:mask::rwx
default:other::r-x

I know about difference in calls of method open when we copy and create files in linux. Also I know about umask, which is applied after create file operation.


I can't find a solution for share files on the network with nfs protocol in my case.


Help me to find workaround.



Answer



I found simple workaround at this article.


If we use a separate primary group for each user, we can use umask = 002. Then the group permissions will not be cut off by umask. And we can set permissions using setgid or acl.


But the proposed solution complicates management of users, namely the creation and deletion. Being LDAP administartor you need to create a primary group for all ldap users. Delete primary user's group, when when delete unnecessary user.


In addition, I would note that:


I have due to migration from zentyal on openldap uses the same core group (USERS) for all newly created users.


On the one hand, it simplifies the management of users, on the other hand did not solve the problem with a shared folder for them.


No comments:

Post a Comment

Where does Skype save my contact's avatars in Linux?

I'm using Skype on Linux. Where can I find images cached by skype of my contact's avatars? Answer I wanted to get those Skype avat...