Author Topic: Applying recursive file/folder permissions  (Read 6527 times)

Russel

  • Zen Apprentice
  • *
  • Posts: 28
  • Karma: +2/-0
    • View Profile
Applying recursive file/folder permissions
« on: July 05, 2013, 08:20:08 pm »
Hello all. I am using Zentyal as file server and have a number of directories setup. I already had the folder structure and files in place. I later went in and added one folder as a network share through the Zentyal interface. The permissions were applied great to that folder. I need to have those same permissions applied to all the files/folders recursively inside that parent folder? I looked at both /etc/passwd and /etc/group and I don't see the users and groups on my files. Anyone know how I can recursively apply users/groups as the parent folder?

Lonniebiz

  • Zen Samurai
  • ****
  • Posts: 320
  • Karma: +24/-2
    • View Profile
Re: Applying recursive file/folder permissions
« Reply #1 on: July 06, 2013, 05:10:15 am »
That's a good question. I don't see anywhere in the web interface to propagate permissions recursively for the shares.

Maybe someone else knows the best practice, but I wonder if you were to create a new empty share folder (with those exact same permissions) and then move all the files into that folder, would the files then inherit the permissions of the newly created folder?

christian

  • Guest
Re: Applying recursive file/folder permissions
« Reply #2 on: July 06, 2013, 08:26:28 am »
I need to have those same permissions applied to all the files/folders recursively inside that parent folder? I looked at both /etc/passwd and /etc/group and I don't see the users and groups on my files. Anyone know how I can recursively apply users/groups as the parent folder?

In case this is not already clear for you, Zentyal accounts and groups are stored within LDAP repository, just like AD does.
Could you explain how you intend to apply ACL and why lack of such entry in /etc/passwd or /etc/group is an issue?

Lonniebiz

  • Zen Samurai
  • ****
  • Posts: 320
  • Karma: +24/-2
    • View Profile
Re: Applying recursive file/folder permissions
« Reply #3 on: July 06, 2013, 11:43:10 am »
I'm trying to get a better understanding of how to think about User's and Groups in Zentyal. I must admit that my partial understanding leaves me confused.

On one hand, you have the fact that Zentyal is based on Linux, where (without Zentyal) Linux has its own way of handling Users, Groups and Permissions.

With Zentyal, in order to be to provide a join-able domain for Windows servers and workstation, it provide LDAP Users and Groups which seems to be a different level of controlling permissions for files and folders. But at a lower-level, there still exists the Linux users, groups and permissions (underneath), but when is it important to be aware of this fact?

When you first install Zentyal, it requires you to create a user during installation. After the install, you can use that user to login to the web interface for administering Zentyal. This user seems to only be a Linux user account. As a matter of fact, if you go look for this user in the Zentyal's Web Interface, under Users and Groups > Users, you will not see a LDAP User for the user you created during installation. Yet, if you try to create a LDAP user with the same name (as the user you created during installation) you will get a Zentyal error saying that /home/user already exists. So, the Linux user already exists and that username cannot be a LDAP username too. Therefore, the user you create during installation is a Linux user that cannot be a LDAP user.

It is pretty clear to me, that while I'm logged into a Window server or workstation (belonging to a Zentyal domain), that I'm a LDAP user. But, by default every LDAP user gets an 500mb quota h-drive mounted to his window's machine upon logging in. And, if you look on the Zentyal's linux file system, you will see that there is a /home/user folder for each LDAP user that has been created and this the source of that mounted h-drive.

So, on one hand, the user created during installation cannot be a LDAP user, but on the other hand it seems that each LDAP user is also a Linux user judging from the fact that each LDAP user has been created a folder in the /home/user location (the same location that a Linux users would have a user folder). However, on the other hand, these users are probably NOT actual Linux users too, due to this:
Code: [Select]
sudo nano /etc/passwd
LDAP users are not listed in /etc/passwd, like Christian has explained. So I guess this means, at the linux level, these are not Linux users, even though their user folders are kept (by LDAP I assume) in the same location that a Linux user's user-folder would be placed. Is this placement a good thing, or something to cause confusion? I guess if LDAP users can be escalated to Linux users, it makes sense for all their files to already be in the correct place before that escalation. I'd be curious to know the developer's actual reasoning.

Additionally, consider shares in Zentyal under File Sharing > shares. Here you can control permissions by adding "Access Controls". Are these "Access Controls" LDAP level file permissions, Linux level file permissions, or both?

And lastly, let return to Russle's issue. He wants to change permissions recursively on all the files and folders in his Zentyal share folder. The web interface does not explicitly provide the ability to recursively propagate permissions (under File Sharing > shares > Access Controls) to files and folders. Is this an oversight? Or is it absolutely unnecessary to provide a recursive propagation feature due to the fact that all Files and Folder in a Zentyal share inherit the permissions of their share folder?

I know how to recursively propagate permission in Linux and in NTFS, but this probably doesn't apply here because I think we are talking about a higher-level LDAP permission-level.

I hope that sharing my own confusion helps Russle, and I'll appreciate comments that will disabuse my own misconceptions. In the meantime, I'm going to go read this again (more thoroughly):
http://doc.zentyal.org/en/directory.html
« Last Edit: July 06, 2013, 12:06:41 pm by Lonniebiz »

Russel

  • Zen Apprentice
  • *
  • Posts: 28
  • Karma: +2/-0
    • View Profile
Re: Applying recursive file/folder permissions
« Reply #4 on: July 06, 2013, 01:09:53 pm »
 I created a share and noticed that the user(owner) and group were 'sync' and '__USERS__'. In my first post I mentioned I couldn't find them in the normal Linux system. I did later discover that the users & groups are in fact stored in LDAP and not the local Linux system as pointed out by Christian. If you use the command 'getent groups' or getent passwd' the user and group I that were assigned to my share are mentioned. I ended up using the '-R' flag to recursively add 'sync' and '__USERS__' to the rest of the folders/files.

When you create a share in Zentyal, do all sub-folders/files inherit their permissions from the parent folder? If so, how do you control this?

Christian, i intended to apply ACL's through Zentyal's web interface. I must admit that at first I was going to do it the old fashion way by creating a group in the Linux system (outside LDAP) and apply permissions with chown or chgrp. I was confused at first and didn't understand that Zentyal users & groups are stored in LDAP, that is why it was a problem that I couldn't find them in /etc/passwd or /etc/group.

What is the correct way to recursively apply permissions to a Zentyal share if the sub-directories & files existed before the share was created?

Lonniebiz

  • Zen Samurai
  • ****
  • Posts: 320
  • Karma: +24/-2
    • View Profile
Re: Applying recursive file/folder permissions
« Reply #5 on: October 04, 2013, 07:44:08 pm »
I wish someone would answer your question. I too would like to know the best practice.

christian

  • Guest
Re: Applying recursive file/folder permissions
« Reply #6 on: October 05, 2013, 10:14:21 am »
Christian, i intended to apply ACL's through Zentyal's web interface. I must admit that at first I was going to do it the old fashion way by creating a group in the Linux system (outside LDAP) and apply permissions with chown or chgrp. I was confused at first and didn't understand that Zentyal users & groups are stored in LDAP, that is why it was a problem that I couldn't find them in /etc/passwd or /etc/group.

For those wiling to go further than Zentyal GUI and wiling to play with command line, understanding nsswitch is a must in term of accounts and groups. Then next step is also to understand LDAP, obviously.
Another dimension is the understanding of ACL aside linux basic rights.

This said, just using Zentyal though graphic interface will handle it for you transparently and in a more reliable manner.
I hardly understand why you guys are deploying Zentyal then try to create accounts and groups at system level and try to set access right using CLI  ???
Not that this is wrong but it doesn't come along smoothly aside application like Zentyal supposed to do this.

spiral

  • Zen Monk
  • **
  • Posts: 59
  • Karma: +2/-0
    • View Profile
Re: Applying recursive file/folder permissions
« Reply #7 on: October 05, 2013, 08:34:37 pm »
I think it is for a better understanding of system, for when things go wrong, which they eventually do...

christian

  • Guest
Re: Applying recursive file/folder permissions
« Reply #8 on: October 05, 2013, 09:54:46 pm »
I think it is for a better understanding of system, for when things go wrong, which they eventually do...

This makes sense once home work is done so that basic knowledge of the underlying technology is understood.
When I read this thread, I find question mark about missing entries in /etc/passwd or unexpected owner and group when looking at ownership for documents shared by Samba, therefore my answer.
Of course, and I do share your point here, once technology is understood, which doesn't mean in depth understanding but at least basis, experimenting and trying to do it manually really makes sense to learn better and deeper  ;)

Russel

  • Zen Apprentice
  • *
  • Posts: 28
  • Karma: +2/-0
    • View Profile
Re: Applying recursive file/folder permissions
« Reply #9 on: October 05, 2013, 10:13:01 pm »
Thanks for the insight Christian, I appreciate your help. I agree, if I understood the underlying technologies, I likely wouldn't be here asking questions. I was applying permissions from the CLI because the GUI wasn't doing anything. While using Zentyal 3.1 I had permission problems out the rear, and they were likely because I screwed up SAMBA some how trying to learn it. When I upgrade to Zentyal 3.2 I ended up having to purge SAMBA and start from scratch. Now (that I haven't been messing with it) everything is working as it should via both the CLI and GUI.

christian

  • Guest
Re: Applying recursive file/folder permissions
« Reply #10 on: October 05, 2013, 10:41:48 pm »
 ;) glad it's fixed now
Unfortunately, my message was only related to concepts. As I'm not running either 3.0 nor 3.2, I can't really help on problems and bug that can be found with these releases  :-[

Don't take me wrong and I also would like to apologize if my previous message was misleading or hurting you: I've nothing against technical debate or questions and would not say that I understand the whole technology (hopefully, I still have lot of stuff to learn as I've only basic understanding in few areas :) ). I was only reacting on Lonniebiz post asking for "best practice"

What is fully valid in your post and for which I've no answer because I'm not using this and thus never tried is how Zentyal will apply ACL "afterwards".
I believe part of the answer is somewhere in Samba documentation but also on Zentyal side as I suppose that access rights described through Zentyal GUI are stored in Zentyal repository (MySQL  ???)  I've no such system to test it for the time being.