Given one Linux server, and many Linux clients, I need to export some shared directories from the server. The behavior I want to obtain is really simple: a group of users can use a shared space on the server, without having to worry about the existence of UNIX file permissions. If I were in a Windows world, I would just share the directory as r/w, add the users to the permission list, and boom, it's done.
But, in the Linux world, I don't know how to obtain this:
- Each shared directory can be mounted only by a subset of users, identified by a group (user/groups/logins are all handled through centralized LDAP). So eg. the share "/var/foobar" on the server must be accessible (read/write) only by members of LDAP group "foobar".
- Users must be able to create/modify/delete directories, files, etc. on the share with full access, provided they are in the right group.
- Users must be unable to screw permissions of files/directories in a share in a way that other users of the share cannot access them anymore. Big stress on an unable.
The problem with requirement #3 is that there are many Linux applications that like to screw permissions by ignoring the umask and/or forcing a chmod/chgrp after touching a file. Notable examples are Nautilus and OpenOffice.
Failed experiments:
- NFS: tried in different ways, but if I squash I cannot authenticate, and if I authenticate and user tries to copy a directory with Nautilus, permissions are screwed.
- NFS + ACL setgid. Still screwable through standard desktop programs doing standard operations that somehow end up forcing a chmod or chgrp.
- sshfs/sftp-server: there doesn't not seem to be a simple way to avoid calls to chmod/chgrp. There is a patch floating around that allows to block chmod/chgrp but it returns errors to the client that complains to the user. Looks like I could patch the patch to silently ignore chmod/chgrp, but I am already using SFTP on that server for other reasons and there does not seem to be a simply way to define different behaviors for different directories.
Would Samba help somehow? Other solutions?
It sounds like you are looking for NFS + user-id mapping, to be found in NFS v4 with per-user mounts. Don't share the mount between users, each get's their own mounted as their user with squash.
Samba with
force group
andforce create mode
could work.