SMB Group R/O, User R/W share how to

[gwaitsi]

Home and Working directories sorted, but i am obviously misunderstanding how the ACls work.

Current challenge. Shared photo album.
- I want user1, user2, etc to be able to write/delete their own files
- I want userx to have r/o access to all other users files
- I want me to have full access to all users files

Dataset Photos; owner: me, owner grp: users
owner@me: Full/Inherit
group users: r/o inherit
user me: Full inherit

Share Photos; owner: me, owner grp: users
owner@me: Full/Inherit
group users: r/o inherit
user me: Full inher

So far;
- me has full access
- userx can see read only all other users

Problem
- userx can not write their own files and directories

** I found if i create a subdirectory as user1 and set the owner as user1:users, the user can write into the subdirectory but not at the highleve.

 

[anodos]

owner@ applies to the owner of the files. This will not always be you. If user1 writes a file, you will no longer own it and hence have no access to it.

You can for your shared photos set:
owner@ FULL_CONTROL - INHERIT
group@ FULL_CONTROL - INHERIT
group:users: READ - INHERIT
group:users: MODIFY - NO_INHERIT
group:<something containing your admin user>: FULL_CONTROL - INHERIT

The end result will be when users authenticate to the share and create their own directory for photos (by virtue of non-inheriting MODIFY permissions), they will own it and be able to write (by virtue of owner@ permissions), other members of <users> in the new directory will be RO (by virtue of inheriting READ permission), and your group will have full control (by virtue of inheriting GROUP permission).

 

[gwaitsi]

owner@ applies to the owner of the files. This will not always be you. If user1 writes a file, you will no longer own it and hence have no access to it.

You can for your shared photos set:
owner@ FULL_CONTROL - INHERIT
group@ FULL_CONTROL - INHERIT
group:users: READ - INHERIT
group:users: MODIFY - NO_INHERIT
group:<something containing your admin user>: FULL_CONTROL - INHERIT

The end result will be when users authenticate to the share and create their own directory for photos (by virtue of non-inheriting MODIFY permissions), they will own it and be able to write (by virtue of owner@ permissions), other members of <users> in the new directory will be RO (by virtue of inheriting READ permission), and your group will have full control (by virtue of inheriting GROUP permission).

Thank man, that really helped. Had to make slight modification. Probably still not quite getting it - I guess, but it seems to work as desired.

owner:Me
Ownergroup: smbusers

owner@ FULL_CONTROL - INHERIT
group@ READ - INHERIT
group:smbusers: READ - INHERIT
group:smbusers: MODIFY - NO_INHERIT
user:me FULL_CONTROL - INHERIT

I have the Ownergroup as smbusers, and see new files/directories are then created with user: me (or user1, etc) and the group as smbusers.

Are you suggesting I should have owner and ownergroup as me:me?
But that means for user1 it becomes user1:user1 no?

 

[anodos]

Thank man, that really helped. Had to make slight modification. Probably still not quite getting it - I guess, but it seems to work as desired.

owner:Me
Ownergroup: smbusers

owner@ FULL_CONTROL - INHERIT
group@ READ - INHERIT
group:smbusers: READ - INHERIT
group:smbusers: MODIFY - NO_INHERIT
user:me FULL_CONTROL - INHERIT

I have the Ownergroup as smbusers, and see new files/directories are then created with user: me (or user1, etc) and the group as smbusers.

Are you suggesting I should have owner and ownergroup as me:me?
But that means for user1 it becomes user1:user1 no?

No. If what you have works then it's fine. I just try to encourage avoiding using USER entries in ACLs (it's generally best practice to always use groups so that you can control access by editing group membership without having to rewrite ACLs.