# Trouble setting up advanced permissions...



## Searing (Jul 16, 2010)

I'm building a file server using FreeBSD, ZFS, and Samba, and I can't seem to find a clear answer regarding implementing the access control I'd like.

For sake of example, I'll use my Media filesystem (in ZFS).  I'd like to share it out, but I want to control how different users can interact with it based on the groups they're in.


I want all members of the MediaEditor group to have full read-write (but not execute) access to the filesystem.  They should be able to edit and even delete files that do not belong to them in the Media filesystem, as long as they're a member of the MediaEditor group.


I want all members of the MediaAdder group to have full read access and to be able to add and edit their own files, but not to edit or delete anyone else's files.


I want all members of the MediaReader group to have full read access, but no write or execute access, to the filesystem.


It would be nice if I could have a MediaReaderLimited group that had the same permissions as MediaReader, but had a capped download rate.  This seems to have much more to do with Samba than FreeBSD, and if I can't implement this group, that's alright.  I consider it to be on my wishlist.


If a user does not belong to any of the groups listed above, I want to forbid any access to the Media filesystem, and even hide it.  (I'm alright with root being able to access it without belonging to any of these groups, but that's it.)

I'm new to FreeBSD, and I'm not accustomed to the permission system (I do most of my work on Windows).  I figure there's probably some way to twist it around to get the results I want, but a pretty significant amount of searching hasn't gotten me an answer yet, so I figured I'd post here.

I suppose I could make the drive read-only for all members of the MediaReader group, and give write access to a specific user account, but I'd rather not.  It's pretty bare, and I'd really like a more robust solution.

Thanks!

-- Ethan

(PS: You don't have to give exact commands or anything, just something like "use this, here's the documentation" would be great.)


----------



## FrogLS (Jul 16, 2010)

For the scenario you described isn't that more an Samba related issue
rather than FreeBSD's files system access control? You should take a
look at the File, Directory, and Share Access Controls in the Samba
documentation first.


----------



## Searing (Jul 16, 2010)

Hmm.  I've looked through that before, but I must've missed the part where you could write @MyGroup in the .conf file and have it replaced with a list of users in MyGroup.  This seems to be exactly what I was looking for.


----------



## fronclynne (Jul 17, 2010)

you should also read up on mac(4) (mac(3), mac(9), mac.conf(5)).

Admittedly it's a bit dry, & I have no idea if some services (daemons) can utilise it (I'm thinking of samba here (&zfs)), but it's a pretty comprehensive beast, it is.


----------



## phoenix (Jul 17, 2010)

Searing said:
			
		

> Hmm.  I've looked through that before, but I must've missed the part where you could write @MyGroup in the .conf file and have it replaced with a list of users in MyGroup.  This seems to be exactly what I was looking for.



Almost, it's actually %group to have it use groups.    Right in the smb.conf file.


----------

