User and group mount options for ext filesystems
User and group mount options for ext filesystems
Posted May 17, 2012 6:00 UTC (Thu) by ringerc (subscriber, #3071)In reply to: User and group mount options for ext filesystems by imunsie
Parent article: User and group mount options for ext filesystems
I want it to be a directory xattr, so I can set it for arbitrary sub-trees of a file system. Not just a uid= and gid=, but most importantly a dirmode= and filemode= .
I waste SO MUCH TIME fighting the stupidity of the UNIX permissions model, which presumes every user (a) knows and (b) cares about the permissions of each file and can be trusted to set them. It also assumes that a particular umask is appropriate globally across a session, where in reality different masks are appropriate when working in different data storage spaces. It also causes endless problems with idiotic apps like Thunderbird that like to override the admin-set umask when creating files or directories, leaving files/dirs in shared working areas that only the creator can access.
I want to be able to turn all this crap off. Seriously. Let me say "Everything under /srv/users/editorial is mode 770 (dir) or 660 (file) with group 'editorial'". POSIX ACLs would work if only I could turn off or override UNIX permissions.
As it is, I have the usual horrid cron job. I'm always patching apps when some idiotic application developer gets it into their head to "improve security" by adding an explicit umask() call they don't understand. Again.
This is particularly painful when there's a combination of clients using network file servers (Samba, NetATalk, etc) and clients using local or NFS access.
Posted May 17, 2012 14:21 UTC (Thu)
by scripter (subscriber, #2654)
[Link]
Why? I've got a directory tree full of 10+ years of images that I serve up through apache. It's a nightmare to make sure everything has the correct dirmode, filemode, and SELinux attributes.
Posted May 17, 2012 17:47 UTC (Thu)
by RobSeace (subscriber, #4435)
[Link] (4 responses)
Well, you can get the group inheritence already by just setting the setgid bit on the directory... Maybe we need to allow for similar user inheritence via the setuid bit? Not sure about how to do the modes, though...
Posted May 18, 2012 16:33 UTC (Fri)
by jschrod (subscriber, #1646)
[Link] (1 responses)
> Well, you can get the group inheritence already by just setting the
How do you enforce a gid change when a file is mv'ed into that directory? setgid only works for newly created files.
Posted May 18, 2012 16:59 UTC (Fri)
by RobSeace (subscriber, #4435)
[Link]
Posted May 21, 2012 1:13 UTC (Mon)
by ringerc (subscriber, #3071)
[Link] (1 responses)
As others have noted, it has no effect on moved files or directories, so you land up with subtrees with different permissions that're incorrect for that working group.
More importantly, it doesn't affect the permissions bits. What I really need is to be able to force the group permissions bits to a fixed mode whenever a file is created in or moved into a directory *or* *any* *sub* *directory*. That mode may be g=rwX if I want to use inherited POSIX ACLs instead.
The fact that these issues cause such hassle that I was considering mounting local directories via samba and CIFS (so I could use Samba to remap all permissions) should tell you something!
In truth, I hate to say what I've done in the end is replace our Samba server with a Win2k8 box, and have the Linux boxes mount its storage over CIFS. All these pain points just go away, to the point where I think Windows is currently a much better file server for Linux boxes than Linux its self is at least for some workloads. For one thing, I have volume shadow copy snapshots now, which are so massively better than LVM snapshots that it's hard to believe.
I did this partly because Samba isn't usable as a primary domain controller for Windows 7 machines; our Samba PDC had to go anyway. I was reluctant to do it initially, but after my experience with win2k8 I'm going to be very reluctant to go back to Linux and Samba file servers again. Not unless LVM snapshot expiry stops sucking and preventing the machine from booting, LVM learns to co-operate with the file system(s) on top of it for snapshot management, permissions management for shared access modes stops being so horrible, and of course Samba 4 eventually hits release.
Note that I'm not demanding that any of these things magically happen or whining that they aren't happening. I'm not doing the work to make it so, so I have no right to. Doesn't mean I won't use whatever's best for the job right now.
(Of course, now I'm trying to resist being saddled with Microsoft Exchange. I don't want to give up Cyrus IMAPd and Postfix, but pressure for a working shared calendar and address book is growing within the organisation, and there isn't much out there...)
Posted May 31, 2012 16:38 UTC (Thu)
by nye (subscriber, #51576)
[Link]
Unless you have a powerful technical or ideological objection, I would seriously recommend taking a good, hard look at Solaris.
I've only been trialling Openindiana for a couple of weeks, so it's certainly possible that there are major headaches to come, but so far it has been an incomparably better experience than using Linux + Samba - so much so that I deeply regret wasting my life on the latter for so long.
Posted May 23, 2012 22:35 UTC (Wed)
by dashesy (guest, #74652)
[Link]
User and group mount options for ext filesystems vs xattr for entire subtree
User and group mount options for ext filesystems
User and group mount options for ext filesystems
> > 660 (file) with group 'editorial'".
> setgid bit on the directory...
User and group mount options for ext filesystems
User and group mount options for ext filesystems
User and group mount options for ext filesystems
User and group mount options for ext filesystems