# home-dir for everyone



## bsus (Nov 13, 2011)

Hi,

To share files between users I have an extra home-dir called temp (/usr/home/temp) the owner is nobody:nobody and I have easy access over Samba. New files are also editable, readable, deletable by everyone.

Just over unix I got an issue.

When I create a new file into the temp-dir it's not editable for everyone. Where can I change the permissions which new files get for this dir? Where's the user_profile and what do I have to add?

Regards


----------



## peetaur (Nov 13, 2011)

What is your samba config for the share?


----------



## bsus (Nov 14, 2011)

Samba is not the problem. Samba uses the right owner and the right rights 

When I create files with an other account over NFS, then the file is owned by me and has the wrong permissions (see unknown_dir and new). The other files are created over samba and act fine.


```
drwxr-xr-x  2 <user>    nobody         2 Nov 14 07:12 unknown_dir
-rw-r--r--  1 bodo    nobody         0 Nov 14 07:14 new
-rwxrw-rw-  1 nobody  nobody   2673245 Nov 13 20:52 scan.pdf
-rwxrw-rw-  1 nobody  nobody  20701215 Nov 13 20:58 scan0002.pdf
-rwxrw-rw-  1 nobody  nobody   1596997 Nov 13 21:01 scan0003.pdf
-rwxrw-rw-  1 nobody  nobody    451530 Nov 13 21:06 scan0004.pdf
-rwxrw-rw-  1 nobody  nobody    451929 Nov 13 21:08 scan0005.pdf
-rwxrw-rw-  1 nobody  nobody   8585617 Nov 13 21:12 scan0006.pdf
```

I am now searching after an options like sambas create mode just for nfs. So when other users create something in the public dir it automatically gets the 'open' rights.


----------



## SirDice (Nov 14, 2011)

Make the directory SetUID or SetGUID.


----------



## bsus (Nov 14, 2011)

I think I wrote too bad.
I want to copy from /home/<user> a file into /home/temp.
In /home/temp the copied user file should have permissions to be editable for everyone not the original permission of the <user>

Regards

setuid

```
chmod 4777 nobody:nobody /usr/home/temp
freebsd temp # ls -l
total 43763
-rw-r--r--  1 <user>  <user>        7100 Nov 14 08:42 BWA 2010.pdf
-rw-r--r--  1 <user>  <user>        7160 Nov 14 08:45 BWA 2011.pdf
-rwxrw-rw-  1 nobody  nobody   1141111 Oct 22 11:58 Dezember 2011.docx
-rwxrw-rw-  1 nobody  nobody     27854 Oct 22 12:30 November 2011.docx
-rwxrw-rw-  1 nobody  nobody   2673245 Nov 13 20:52 scan.pdf
-rwxrw-rw-  1 nobody  nobody  20701215 Nov 13 20:58 scan0002.pdf
-rwxrw-rw-  1 nobody  nobody   1596997 Nov 13 21:01 scan0003.pdf
-rwxrw-rw-  1 nobody  nobody    451530 Nov 13 21:06 scan0004.pdf
-rwxrw-rw-  1 nobody  nobody    451929 Nov 13 21:08 scan0005.pdf
-rwxrw-rw-  1 nobody  nobody   8585617 Nov 13 21:12 scan0006.pdf
-rwxrw-rw-  1 nobody  nobody   8585672 Nov 13 21:15 scan0007.pdf
```

sticky

```
freebsd temp # chmod 1777 /usr/home/temp
freebsd temp # ls -l
total 43762
-rwxrw-rw-  1 nobody  nobody   1141111 Oct 22 11:58 Dezember 2011.docx
-rwxrw-rw-  1 nobody  nobody     27854 Oct 22 12:30 November 2011.docx
-rwxrw-rw-  1 nobody  nobody   2673245 Nov 13 20:52 scan.pdf
-rwxrw-rw-  1 nobody  nobody  20701215 Nov 13 20:58 scan0002.pdf
-rwxrw-rw-  1 nobody  nobody   1596997 Nov 13 21:01 scan0003.pdf
-rwxrw-rw-  1 nobody  nobody    451530 Nov 13 21:06 scan0004.pdf
-rwxrw-rw-  1 nobody  nobody    451929 Nov 13 21:08 scan0005.pdf
-rwxrw-rw-  1 nobody  nobody   8585617 Nov 13 21:12 scan0006.pdf
-rwxrw-rw-  1 nobody  nobody   8585672 Nov 13 21:15 scan0007.pdf
freebsd temp # ls -l
total 43763
-rw-r--r--  1 <user>  <user>      7100 Nov 14 08:42 BWA 2010.pdf
-rw-r--r--  1 <user>  <user>        7160 Nov 14 08:45 BWA 2011.pdf
-rwxrw-rw-  1 nobody  nobody   1141111 Oct 22 11:58 Dezember 2011.docx
-rwxrw-rw-  1 nobody  nobody     27854 Oct 22 12:30 November 2011.docx
-rwxrw-rw-  1 nobody  nobody   2673245 Nov 13 20:52 scan.pdf
-rwxrw-rw-  1 nobody  nobody  20701215 Nov 13 20:58 scan0002.pdf
-rwxrw-rw-  1 nobody  nobody   1596997 Nov 13 21:01 scan0003.pdf
-rwxrw-rw-  1 nobody  nobody    451530 Nov 13 21:06 scan0004.pdf
-rwxrw-rw-  1 nobody  nobody    451929 Nov 13 21:08 scan0005.pdf
-rwxrw-rw-  1 nobody  nobody   8585617 Nov 13 21:12 scan0006.pdf
-rwxrw-rw-  1 nobody  nobody   8585672 Nov 13 21:15 scan0007.pdf
```

setgid

```
freebsd temp # chmod 2777 /usr/home/temp
freebsd temp # ls -l
total 43762
-rwxrw-rw-  1 nobody  nobody   1141111 Oct 22 11:58 Dezember 2011.docx
-rwxrw-rw-  1 nobody  nobody     27854 Oct 22 12:30 November 2011.docx
-rwxrw-rw-  1 nobody  nobody   2673245 Nov 13 20:52 scan.pdf
-rwxrw-rw-  1 nobody  nobody  20701215 Nov 13 20:58 scan0002.pdf
-rwxrw-rw-  1 nobody  nobody   1596997 Nov 13 21:01 scan0003.pdf
-rwxrw-rw-  1 nobody  nobody    451530 Nov 13 21:06 scan0004.pdf
-rwxrw-rw-  1 nobody  nobody    451929 Nov 13 21:08 scan0005.pdf
-rwxrw-rw-  1 nobody  nobody   8585617 Nov 13 21:12 scan0006.pdf
-rwxrw-rw-  1 nobody  nobody   8585672 Nov 13 21:15 scan0007.pdf
freebsd temp # ls -l
total 43763
-rw-r--r--  1 <user>  <user>      7100 Nov 14 08:42 BWA 2010.pdf
-rw-r--r--  1 <user>  <user>      7160 Nov 14 08:45 BWA 2011.pdf
-rwxrw-rw-  1 nobody  nobody   1141111 Oct 22 11:58 Dezember 2011.docx
-rwxrw-rw-  1 nobody  nobody     27854 Oct 22 12:30 November 2011.docx
-rwxrw-rw-  1 nobody  nobody   2673245 Nov 13 20:52 scan.pdf
-rwxrw-rw-  1 nobody  nobody  20701215 Nov 13 20:58 scan0002.pdf
-rwxrw-rw-  1 nobody  nobody   1596997 Nov 13 21:01 scan0003.pdf
-rwxrw-rw-  1 nobody  nobody    451530 Nov 13 21:06 scan0004.pdf
-rwxrw-rw-  1 nobody  nobody    451929 Nov 13 21:08 scan0005.pdf
-rwxrw-rw-  1 nobody  nobody   8585617 Nov 13 21:12 scan0006.pdf
-rwxrw-rw-  1 nobody  nobody   8585672 Nov 13 21:15 scan0007.pdf
```


----------



## SirDice (Nov 14, 2011)

Setting the SUID or GUID only works for _new_ files, not existing ones.


----------



## bsus (Nov 14, 2011)

As you can see on the timestamp the files are always cut out after changing something at the permissions.

So there where always written _new_ or did you mean something else?


----------



## fluca1978 (Nov 15, 2011)

Permissions with setguid or setuid works only for new entries in the directory, where _new_ means a new entry in the directory, not a changed or modified file.


----------



## SirDice (Nov 15, 2011)

fluca1978 said:
			
		

> Permissions with setguid or setuid works only for new entries in the directory, where _new_ means a new entry in the directory, not a changed or modified file.



Exactly. Also keep in mind that _moving_ a file on the same filesystem will never change it's permissions.


----------



## bsus (Nov 15, 2011)

Ok, so I have to add [cmd=]chmod -R 777 /usr/home/temp[/cmd] to /etc/crontab to have it I want to?

There is no "smarter" solution?

Regards


----------



## phoenix (Nov 15, 2011)

Change the UMASK setting for all users such that files they create are marked 777.

Then change the permissions on their home directories to 770 (so that "other" users can't access them).


----------



## peetaur (Nov 16, 2011)

I am fairly sure you can do it with smb.conf. I created such a thing in the past, on a SuSE Linux machine, without using setgid/setuid. I say "fairly sure" because I didn't test it thoroughly... just used it and had no complaints, and it was over 10 years ago.

Unlike using setuid, the new directories created also have the same effect. With setuid, those directories would also need to be setgid/setuid manually after they are created. I don't remember what options to use though... I scanned through the list (in man smb.conf) and here are my suggestions of what to try:

Most likely some of these:


```
create mask = 777
security mask = 777
directory mask = 777
directory security mask = 777
# yes means inherit from the directory rather than the user
inherit owner = yes
force user = nobody
force group = nobody
```

maybe also:


```
force create mode = 0777
force directory mode = 4777
force directory security mode = 4777
force security mode = 777
```

or maybe something slightly extreme/insane like:

```
dos filemode = yes
fstype = FAT (default is NTFS)
```


And currently, I have no dire need for something magically perfect like what I had before. The most similar thing I have now (originally on Linux samba sharing ext3, now Linux samba sharing the FreeBSD NFS zfs share) was set up like this:

```
[sharename]
        path = /path/to/dir
        writeable = yes
        browseable = Yes
        writeable = yes
        create mask = 0664
        directory mask = 0775
        # Hide the .zfs directory so people can't view snapshots, which hangs ZFS on the NFS server (severe bug for which I haven't submitted a PR yet)
        # Also, I bind-mounted /var/empty on top of the .zfs directory to hide it from local users
        veto files = /.zfs/
```
and run once:
`# chgrp -R bc /share/root/dir`

The effect is that people can rename, move, and delete files that others created. I suppose it works because "bc" is the primary group for all users, not just simply added to supplimentary groups for all.

My simple thing I have now would fail if someone purposely changed permissions or ownership on a file, but nobody seems to do that.


----------



## bsus (Nov 16, 2011)

Good idea!

I will look after a better solution even there is now big chance there will be one.

Wouldn't your solution permit another user to [cmd=]rm /home/<user>/file[/cmd]?
Or is this really safe?

Regards


----------



## phoenix (Nov 16, 2011)

No, because the "other" set of permissions would be set to *000* (aka rwxr-x---) on /home/<user>/, which means they would not have access to anything under /home/<user>/.  Doesn't matter if they can read/write the files under that directory ... if they can't get into the directory.


----------

