Topic: need ibay permissions flexibility

[jim]

I'm trying to create a shared file area, but need more flexibility than ibays seem to offer. I'd like to have a few users (say a group named managers) have read/write access, but limit another group (say supervisors) to read-only. Everyone else (such as a regular worker) should not have any access. Is there a simple way to achieve this with ibays? What about some other way?

Currently, ibays do most, but not all. I can get:
   admin=read/write, group=read-only, others=no access
   group=read/write, others=no access
   group=read/write, others=read-only
   everyone=read/write
What I seem to need is:
   group1=read/write, group2=read-only, others=no access

Thanks for any tips!

[Craig Jensen]

Have you looked at MYDMS, a contrib by Darrell May avail at contribs.org.

http://mirror.contribs.org/smeserver/contribs/dmay/mitel/contrib/mydms/

This package may provide the flexibility you need.

Regards,

Craig D. Jensen

[Craig Jensen]

Another one is webshare

http://mirror.contribs.org/smeserver/contribs/dmay/mitel/contrib/webshare/

Regards,

Craig Jensen

[Ray Mitchell]

Dear Jim

> I'm trying to create a shared file area, but need more
> flexibility than ibays seem to offer.

sme has more flexibility than you realise !

>  I'd like to have a few
> users (say a group named managers) have read/write access,
> but limit another group (say supervisors) to read-only.
> Everyone else (such as a regular worker) should not have any
> access.

You are looking at it the wrong way, don't try to make the ibay do something it was not desinged for.
The way you achieve this sort of control is by use of groups (and it can be very powerful if applied carefully with some thought about overall system access rights).

create
group1 - all regular workers + supervisors + manager
group2 - supervisors + manager
group3 - manager only (in effect an Admin group)
group4 - regular worker1, regular worker2, + supervisors + manager

create ibay1 - owned by group2, Write=Admin, Read=group (which means group2 the owner)
Only the manager will be able to write and only users in group2 will be able to read. Regular workers are not in group2 so they have no access at all.

By making selected regular workers members of other groups they can have access to some ibays but not to others etc etc. eg group4 only has access to an ibay owned by group4.

Note that supervisors & managers will have access to any of the ibays (owned by any group) because they are always included as members of each group you create.

You can also allow Write access only to supervisors and managers but read access to all other users by setting an ibay owned by group2, to Write=group, Read=everyone.


It can be very powerful by using the settings in combination with each other, but think about your users hierarchy first.
You should always setup users to be members of groups, and whenever you create an ibay that you wish to control access to, create a another group limited to those users you wish to allow to access the ibay (with the appropriate Write, Read settings).

Hope this helps
Regards
Ray Mitchell

[Laurent]

ACL support on samba......

Pourquoi pas ( why not ) ??

[Filippo Carletti]

Ray Mitchell wrote:

> create ibay1 - owned by group2, Write=Admin, Read=group
> (which means group2 the owner)

No, if you set User access to Write = admin, the owner of ibay is admin and permissions are 2750.
See /etc/e-smith/events/actions/ibay-modify line 139.

[Kelvin]

And a note of caution : --

I believe there is a limit to the number of groups you can create. If your permission / security setup is sufficiently complex, you will soon run out of groups to sub-divide into !

W2K File / Folder / User / Group permissions flexibility wins hands down when compared against what's available out of the box from SME. As mentioned in previous postings, SME hides away too much of the power / flexibility of the underlying OS.

Kelvin

[Ray Mitchell]

Filippo & others
Whoops a slight mistake here.
I meant to also say that the manager could also access using the admin user name, and the example should have said:

create ibay1 - owned by group2, Write=Admin, Read=group (which means group2 the owner)
Only the manager will be able to write (via the admin user) and only users in group2 will be able to read. Regular workers are not in group2 so they have no access at all.

Please see my next post for an elaboration on using various combinations.

Regards
Ray

[Ray Mitchell]

Dear All
(att Filippo)

To explain the concept a little further here are some various examples, these are not the only possibilities though.

group1 = u1 + u2 + u3 + u4 (users)
group2 = u2 + u3 + u4      (power users)
group3 = u3 + u4           (supervisors)
group4 = u4 (manager)      (administrator)
group5 = u1 + u3 + u4      (users except u2)
group6 = u1 + u2 + u4      (users except u3)
group7 = u1 + u3           (user1 + user3 special group)
group8 = u2 + u3           (user2 + user3 special group)

note u4 (manager) also has access as admin user

Here are some examples of different ibay setups:

The second & third examples show how to allow some users write access, but limit other users to read or no access.
The last 4 examples show how you can selectively exclude certain users from access to an ibay, which is the same as saying how to allow one group to access an ibay and another group not to access an ibay


ibay1 = owner = group4 (u4) Write=group (group4), Read=everyone (u1, u2, u3, u4)
therefore only group4 member u4 can write but everyone can read
 
ibay2 = owner = group3 (u3 + u4) write=group (group3), read=everyone (u1, u2, u3, u4)
therefore only group3 members u3 + u4 can write but everyone can read

ibay3 = owner = group2 (u2 + u3 + u4) write=group (group2), read=group (group2)
therefore only group2 members u2 or u3 or u4 can write or read,  u1 gets no access at all

ibay4 = owner = group1 (u1 + u2 + u3 + u4) Write=group (group1), Read=group (group1)
therefore only group1 members u1 or u2 or u3 or u4 can write or read which in this case means everyone

ibay5 = owner = group1 (u1 + u2 + u3 + u4) Write=admin, Read=group (group1) u1, u2, u3, u4
therefore only admin user can write, but u1, u2, u3, u4 can read which in this case means everyone
       
ibay6 = owner = group5 (u1 + u3 + u4) write=group (u1 + u3 + u4, not u2), read=group (u1 + u2 + u3, not u2)
therefore only group5 members u1 or u3 or u4 can write & read, u2 gets no access at all

ibay7 = owner = group6 (u1 + u2 + u4) write=group (u1 + u2 + u4, not u3), read=group (u1 + u2 + u4, not u3)
therefore only group6 members u1 + u2 + u4 can write & read, u3 gets no access at all

ibay8 = owner = group7 (u1 + u3) write=group (group7), read=group (group7)
therefore only group7 members u1 or u3 can write or read,  u2, u4 get no access at all

ibay9 = owner = group8 (u2 + u3) write=group (group8), read=group (group8)
therefore only group8 members u2 or u3 can write or read,  u1, u4 get no access at all

and so on......

Here is a summary of two of the users access rights (which are different)

user2 has write access to ibays 3, 4, 7, 9
User2 has read access to ibays 1, 2, 3, 4, 5, 7, 8, 9
User2 has no access at all to ibay 6, 8

User3 has write access to ibays 2, 3, 4, 6, 8, 9
User3 has read access to ibays 1, 2, 3, 4, 5, 6, 8, 9
User3 has no access at all to ibay 7

no user except admin has write access to ibay 5

You can work out the rest yourselves.

So you can see by combining user groupings, ibay ownership and ibay permissions (in differing combinations), you can control (allow, disallow or limit) user write & read access quite effectively to all, some or even no ibays.

You need to give some thought to the structure you require before you add any users, groups or ibays.

Hope I didn't make a mistake with all those numbers !!
Regards
Ray Mitchell

[Charlie Brady]

Kelvin wrote:

> W2K File / Folder / User / Group permissions flexibility wins
> hands down when compared against what's available out of the
> box from SME. As mentioned in previous postings, SME hides
> away too much of the power / flexibility of the underlying OS.

Both the limit to the number of the groups and the lack of separate read and write groups are limitations of the underlying OS. There's nothing being hidden.

If there's anything about SME server software that you don't like, you can always change it. Contributions of code, documentation and debugging are always welcome.

Charlie

[jim]

First off, thanks to all for the great suggestions. I haven't seen the solution to my situation, but have some good leads.

I'll summarize my understanding of these:
 
1) MYDMS, a contrib by Darrell May avail at contribs.org.
http://mirror.contribs.org/smeserver/contribs/dmay/mitel/contrib/mydms/
and webshare
http://mirror.contribs.org/smeserver/contribs/dmay/mitel/contrib/webshare/

[will have a look. Thanks Craig.]
 
2) Ray, thanks for your input. I think I understand what you're trying to say with the groupings, but I don't see how you're able to assign write/read privilages to a group and read only to another group with the current ibay setup. (BTW, I'm running SME 5.5, but I've looked at the 5.6 documentation and didn't see any change).

In a couple of examples you gave:

"create ibay1 - owned by group2, Write=Admin, Read=group (which means group2 the owner)
Only the manager will be able to write and only users in group2 will be able to read. Regular workers are not in group2 so they have no access at all."

"note u4 (manager) also has access as admin user"

These require that managers have admin access. Is there a way to set a user up as admin (and use their own login) or do they have to log in as admin? I'm only trying to give the managers access to the ibay (or a shared folder), not the whole system.


3) ACL support on samba......Pourquoi pas ( why not ) ??
[Interesting idea, but I am not familiar with ACL. I'd prefer not to add an additional layer of complexity if some simpler way exists. I'll look further along this path if all else fails. Thanks Laurent.]

[jim]

Charlie wrote:
>Kelvin wrote:
>> W2K File / Folder / User / Group permissions flexibility wins
>> hands down when compared against what's available out of the
>> box from SME. As mentioned in previous postings, SME hides
>> away too much of the power / flexibility of the underlying OS.
>
>Both the limit to the number of the groups and the lack of separate read and write groups >are limitations of the underlying OS. There's nothing being hidden.
>
>If there's anything about SME server software that you don't like, you can always change >it. Contributions of code, documentation and debugging are always welcome.
>
>Charlie

I'd say that SME hides a lot of the underlying power and flexibility of the OS, but that one can easily tap into if the user has the desire and know-how. I think that this is the beauty of this implementation, and I think it does a commendable job. SME is a great example of the KISS (keep it simple stupid) principle, and works a vast majority of the time.

In this particular situation, the ibays via web-admin have limited the ownership of an ibay to admin and group, and not individual user. I do not understand the reasoning behind this limitation, but the OS does support ownership by a user and read access by a group. The web-admin is not set up to do this.

Filippo Carletti said "No, if you set User access to Write = admin, the owner of ibay is admin and permissions are 2750. See /etc/e-smith/events/actions/ibay-modify line 139."

The file /etc/e-smith/events/actions/ibay-modify or the routines that modify/access this file may be the place to make the changes. Unfortunately, I have neither the time, the know-how, or the desperate need to tackle this. But if someone does, this may help.

As far as limits to the number of groups, this is an interesting and complex problem. Here are a couple of leads if you're interested:

http://groups.google.com/groups?q=maximum+number+groups+linux&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=linux.kernel.200008071338.IAA254073%40tomcat.admin.navo.hpc.mil&rnum=10

http://groups.google.com/groups?q=maximum+number+groups+linux&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=w3u2ob9l1c.fsf%40feynman.mb.uni-dortmund.de&rnum=2
 
(in case the links a no longer good, I just went to groups.google.com and searched for "maximum number groups linux" and got a bunch of hits)

The lack of separate read and write groups does seem to be a limitations of the underlying OS. I'm sure this issue has come up before and hope a simple (and free) solution is available.

Thanks to everyone for your thoughtful and helpful contributions. FYI, I think I can live with the broader access provided by owner=group(managers) read=everyone (until a better simple solution presents itself or more security is needed).

[Ray Mitchell]

Jim & Filippo
I stared at the permutations a bit more, looks like the closest you can get is
a specific group of users can have write & read access and all other users no access
OR
a specific group can have write access with everyone having read access
OR
an admin user can have write access & a specific group of users can have read access & all other users no access

Filippo's answer may be the way to go
http://www.mail-archive.com/devinfo%40lists.e-smith.org/msg11807.html

Regards
Ray

[Rob Wellesley]

AFAIK you can still set up a samba share (custom template of course) and set the permissions to what ever you want. Obviously one needs some basic Linux knowledge, but I would hope that anyone using SME in a production environment does.

EG

mkdir /foo
chown user:group /foo
chmod 750 /foo

choose a different user to admin

samba script addition

[foo]
comment = foo directory
path = /foo
writable = yes

pretty basic but should work

rob

[Filippo Carletti]

> The lack of separate read and write groups does seem to be a
> limitations of the underlying OS. I'm sure this issue has
> come up before and hope a simple (and free) solution is
> available.

Yes, without ACL Linux has only user-group-other permissions.
But with careful exploit of samba and proftpd options you can obtain what you're asking for on SME.
Beware that you shouldn't enable direct shell access.

See:
http://www.mail-archive.com/devinfo@lists.e-smith.org/msg11807.html

Ciao,
Filippo