File permissions and group and user access problem

Jeff Boyce jboyce at meridianenv.com
Fri Apr 28 20:41:59 UTC 2006 

----- Original Message ----- 
From: <A.Fadyushin at it-centre.ru>
To: <jboyce at meridianenv.com>; <redhat-list at redhat.com>
Sent: Friday, April 28, 2006 10:15 AM
Subject: RE: File permissions and group and user access problem




> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> bounces at redhat.com] On Behalf Of Jeff Boyce
> Sent: Friday, April 28, 2006 12:01 AM
> To: redhat-list at redhat.com
> Subject: File permissions and group and user access problem
>
> Greetings -
>
>     I am not sure if this is a Linux or a Samba problem, so let me
know if
> I
> should be posting to the Samba list.  I am not sure I fully understand
how
> permissions work and making sure they are set up properly.  I have
read
> through all of my Linux, Samba, and networking books and haven't been
able
> to resolved my issue.
>
> My System:
>     RHES 3 fully up to date
>     Dell PE 2600 used primarily as a Samba file server to 10 Windows
boxes
>
> My Objective:
>     I need to establish a directory for our accounting files that only
> allow
> two users to access the file.  The accounting software (QuickBooks) is
> setup
> on a desktop Windows box with the accounting data file stored on the
Linux
> server.
>
> What I have done:
>     1.  Setup an Accounting directory on server; current permissions
are
> drwxrws--T
>     2.  Created an Accounting group on the Linux server and included
the
> two
> users in this group.
>     3.  Setup accounting users passwords (matching their Linux
passwords)
> on
> a common Window box (vers. ME/2000) that is used by the two users.
>     4.  A Guest user is also setup on this Windows box for other
purposes
> (I
> realize the potential for risk with this but don't have another
option,
> that
> is why I am trying to achieve my objective).
>     5.  A copy of an accounting data file for testing purposes is on
the
> Linux server with permissions of -rwxrw----
>     6.  The owner of the accounting data file is one of the two users
in
> the
> accounting group.
>     7.  Both users in the accounting group can access the Accounting
> directory and accounting data file through Windows file manager and
can
> make
> changes to the data file in QuickBooks.
>     8.  The Guest user can not access the Accounting directory or data
> file
> through Windows file manager, but if they run QuickBooks they can open
the
> data file and it accepts changes to the file (this is what I want to
> prevent).
>
> What I need to do:
>     I need to make sure that the Guest user (if they are able to start
> QuickBooks on this box) is restricted from making changes to the
> accounting
> data file.  In other words, the Linux file permissions would not
accept
> any
> changes to the data file if it recognizes the Guest user is logged
onto
> the
> box.

It seems that the QuickBooks is accessing file using the identity of the
user in Accounting group, not the identity of the Guest user for file
permissions checking (because you have verified that Guest can not
access the file directly from file manager. What are the messages in the
Samba log files on the server during the access using QuckBooks? The smb
daemon can log the information on the user accessing the file (if
necessary, increase the verbosity of nessages in the samba configurstuo
file) therefore it could be determined who (what user) ia actually
trying to access the file.

Alexey Fadyushin.
Brainbench MVP for Linux.
http://www.brainbench.com

>
>     Is this a Linux permissions issue, or a Samba share configuration
> problem?  I can post my Samba share configuration if that would
assist.
> What should I change to address my problem and meet my objective?
Thanks.
>
>
> Jeff Boyce
> www.meridianenv.com
>

It appears that a reboot of the Windows box has resolved the current issue. 
I am assuming that when the Users were setup in the Window 2000 box, that 
not all of the configuration changes were effective until after a reboot, 
although most of the changes appeared to be implemented just when logging 
out then back in as a different user.  This is what happens when you have 
different versions of Windows running on different boxes throughout the 
office.  Sorry for causing anyone any extraneous headscratching.

Jeff Boyce

More information about the redhat-list mailing list