Geek Pop Quiz.
Jul. 21st, 2009 11:09 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
theweaselkingI have a file server. It runs Ubuntu and Samba.
This file server has a Projects folder, shared. Inside the Projects folder are a number of subfolders - one per project. Inside each individual subfolder are a standard set of folders (the same for all projects). The file system is ext3, if that matters.
I need:
1) For each sub-subfolder to have *different* permissions - give group "all_project_people" access to see the projects and open the individual project folders, but make one subfolder readable only by users who are administrators and one only by people who are in production and one only by people who are in design, etc.
2) a way to automate the creation of new Project folders in such a way that a non-technical user can do it, from a Windows desktop, preferably with a single icon, but any *short*, *simple* process is okay.
3) If possible, making creation of project folder sets easy (using the process from #2) and make deletion require superuser intervention.
For #1: I'm thinking make Samba share the "projects" folder as top-level, and within Samba give all members of the Samba Users group read/write access. Individual project folders have this same access. In the underlying file system, project SUBFOLDERS have different accesses - so "sambauser" gets you into /ProjectA/, but only a member of Production can get into /ProjectA/production/ because it's owned by root and the Group is set to "Production", and it's not world-readable.
For #2: Ugh. Windows scripting, or VBScript, or even a batch job, to pop up, ask the user for the project number and name, then run off to the mapped network drive and run mkdir a bunch of times would work but wouldn't set any of the permissions correctly, unless you can show me a way to alter Linux file permissions from a Windows script. I could give them an icon to log in via SSH with a user whose "shell" is /bin/Create_Project_Folder, and have that script prompt for folder name and run all the mkdirs, chowns, and chmods I want - is there a simple way to make a one-click SSH icon in Windows? A useful way to make a .bat that just says "ssh user:pass@server" without installing cygwin?
For #3.... in NTFS, I'd just deny change/delete permission to non-Admin users. In Linux... give "write" access only to the "create project folders" user from step #2, denying it to the Samba users?
Does my thinking make sense?
Is there a product that does this for me automagically so I don't have to set it all up myself?
Am I looking at some kind of impossible pitfall here, so that I'm better off going with my ORIGINAL preference, which is having one Production folder and one Admin folder and one Design folder and having each project have a separate subfolder inside - so a single project's data is in three places, but access restrictions are much easier?
This file server has a Projects folder, shared. Inside the Projects folder are a number of subfolders - one per project. Inside each individual subfolder are a standard set of folders (the same for all projects). The file system is ext3, if that matters.
I need:
1) For each sub-subfolder to have *different* permissions - give group "all_project_people" access to see the projects and open the individual project folders, but make one subfolder readable only by users who are administrators and one only by people who are in production and one only by people who are in design, etc.
2) a way to automate the creation of new Project folders in such a way that a non-technical user can do it, from a Windows desktop, preferably with a single icon, but any *short*, *simple* process is okay.
3) If possible, making creation of project folder sets easy (using the process from #2) and make deletion require superuser intervention.
For #1: I'm thinking make Samba share the "projects" folder as top-level, and within Samba give all members of the Samba Users group read/write access. Individual project folders have this same access. In the underlying file system, project SUBFOLDERS have different accesses - so "sambauser" gets you into /ProjectA/, but only a member of Production can get into /ProjectA/production/ because it's owned by root and the Group is set to "Production", and it's not world-readable.
For #2: Ugh. Windows scripting, or VBScript, or even a batch job, to pop up, ask the user for the project number and name, then run off to the mapped network drive and run mkdir a bunch of times would work but wouldn't set any of the permissions correctly, unless you can show me a way to alter Linux file permissions from a Windows script. I could give them an icon to log in via SSH with a user whose "shell" is /bin/Create_Project_Folder, and have that script prompt for folder name and run all the mkdirs, chowns, and chmods I want - is there a simple way to make a one-click SSH icon in Windows? A useful way to make a .bat that just says "ssh user:pass@server" without installing cygwin?
For #3.... in NTFS, I'd just deny change/delete permission to non-Admin users. In Linux... give "write" access only to the "create project folders" user from step #2, denying it to the Samba users?
Does my thinking make sense?
Is there a product that does this for me automagically so I don't have to set it all up myself?
Am I looking at some kind of impossible pitfall here, so that I'm better off going with my ORIGINAL preference, which is having one Production folder and one Admin folder and one Design folder and having each project have a separate subfolder inside - so a single project's data is in three places, but access restrictions are much easier?
(no subject)
Date: 2009-07-21 03:45 pm (UTC)I suspect that setting up a user whose login script prompts for the directory name then creates the files and sets the permissions appropriately would be easiest, quicker to debug, and easier for the users. Especially if you can script the connecting process so no one needs to remember another username password pair.
(no subject)
Date: 2009-07-21 09:00 pm (UTC)Have directories like
the users in their proper groups, and the "admins" as members of all groups.
(You need to *try* this, I don't have any samba at home and I don't intend to, ever again.)
The creating part can be done with a little shell script, sudo and the putty command-line client, as
(no subject)
Date: 2009-07-21 09:15 pm (UTC)Cons: Each project has files in three different locations.
Pros: Each location is REALLY EASY to create and restrict access to.
Stupid: They want all the files in one place, but different access lists to each file. Gah!
(no subject)
Date: 2009-07-22 12:07 am (UTC)(no subject)
Date: 2009-07-22 06:13 am (UTC)(no subject)
Date: 2009-07-22 12:00 am (UTC)(no subject)
Date: 2009-07-22 12:10 am (UTC)(no subject)
Date: 2009-07-22 05:26 am (UTC)(no subject)
Date: 2009-07-22 05:29 am (UTC)(no subject)
Date: 2009-07-22 05:30 am (UTC)(no subject)
Date: 2009-07-22 01:13 pm (UTC)This would be easier with a domain and Server 2003 on the file server, bbut that's outside the client's budget.