Can not set force group and create mask

[piwwo]

Hello

I need my shares be readable by an user, that runs the backup process but not by the whole staff.
Therefore I created an user backup with its group backup. Now I want backup group have read access to the shares so that it reads

-rw-r----- <username> backup filename.txt

backup is the only user in backup group, everyone else is in staff

I set the auxiliary parameters of a share to

Code: Select all

create mask 0640
force group = backup

but when creating a file in windows explorer on the share that has these parameters, it's still created as <username>:staff with the filepermissions of -rwxr-----
How do I tell smb to *always* write the file as <username>:backup?

[raulfg3]

please read this, perhaps helps you:

https://sites.google.com/site/aganimkar ... enas-share

https://sites.google.com/site/aganimkar ... /for-jay-g

[piwwo]

Hi

I looked at it and its as I did it too.

For share per user need uncheck permissions inherit and add auxiliary parameters as create mask = 0644 and directory mask = 0755

Did that unchecking inherit permissions and adding parameters, but its still ignoring the share

aux parameters of service

Code: Select all

create mask = 0664
directory mask = 0755
force group = backup

aux parameters of share

Code: Select all

create mask 0664
directory mask 0775
force group = backup

-rw-rw-r-- 1 user staff 1.6k Nov 5 17:43 user.crt

i need it as group backup

From /etc/group
backup:*:1001:backup

[piwwo]

It seems the problem is, that the smb process runs as the user who's logged in, so its possible to read the user's directory even when it's not readable by world or group.
Anyhow if the user is not in a group, he can not "gift" a file to that group ("chgroup groupiamnotmemberof filename" gives permission denied). Is that correct?
If so then it explains why force group is ignored. But how is it possible to have a backup of the user directions then? Do I have to run the backup as root or can I use a restricted user (no shell only rsync access) for that task?

[alexey123]

smb process runs as the user who's logged in

you right. This is user-level smb.

Anyhow if the user is not in a group, he can not "gift" a file to that group ("chgroup groupiamnotmemberof filename" gives permission denied). Is that correct?

If you use NAS share as share for network users tjis is correct way. I use for backup user's PCs another folder, not shared over smb or any another way. Only rsinc and root have access for it.

Can you create schematic diagram for a complete understanding your building?

[piwwo]

In my setup it goes this way

[user pc drive x:]--><smb share>--->[/mnt/stor/home/user]---><rsync over ssh cron weekly>---->{internet}--->[external storage]

the firewall opens smb to lan side and allows ssh from nas to external storage via internet. The user that runs rsync needs read access to user shares but no user shall be able to read the shares of other users. I saw no other way than to have a backup group read access to all shares while no smb user is in that backup group.

[piwwo]

ping?