No problem. I shared the directory through Samba and granted access to the guest user (on Linux, this is translated to the nobody user).
[root@centos ~]# cat /etc/samba/smb.conf
[global]
security = user
map to guest = bad user
guest account = nobody
[logs]
path = /logs
readonly = yes
guest ok = yes
Later I was warned that certain files could not be read. By taking a look at it, I could see that some files were been created with wrong permissions.
[root@centos ~]# ls -l /logs/
total 6148
-rw-------. 1 root root 4730880 oct 4 11:37 001.log
-rw-------. 1 root root 1564672 oct 4 11:37 002.log
As you can appreciate, the files just could be read by the owner, in this case root. This was the second problem: the application ran as root and of course, I could not allow access by means of this user.
We opened a ticket to the support center, in order to find out if it were possible to force the program to create the log files with other permissions. The response was fantastic: set up a cron task so as to change them periodically. As I usually say... a real botched.
Fortunately, Linux is a great operating system which if you know it in depth, you will be able to solve problems in different ways.
I sized up the situation and I decided that the best option was to set an ACL (Access Control List). With ACLs, you can give selected users, read, write and execute permissions on a specific file or directory.
First up, you need to have configured the target filesystem with the acl option.
[root@centos ~]# mount -o remount,acl /
[root@centos ~]# cat /etc/fstab
/dev/mapper/vg_centos-lv_root / ext4 defaults,acl 1 1
...
Then, you must grant the nobody user, read and execute permissions on all elements of the directory and besides, new files or directories created within it, will also have this ACL by default.
[root@centos ~]# setfacl -R -m u:nobody:r-x /logs
[root@centos ~]# setfacl -d -R -m u:nobody:r-x /logs
In this manner, when a user logs on via Samba (guest user), will be able to read the files. Let's get now the full permissions from any of the files included into the logs directory.
[root@centos ~]# getfacl /logs/001.log
# file: logs/001.log
# owner: root
# group: root
user::rw-
user:nobody:r-x
group::---
mask::r-x
other::---
As you can see above, apart from root, the nobody user can also read the file.
It may seem incredible but ACLs are not well known. I have seen throughout my professional life, authentic disasters by applying permissions on files, mainly due to ignorance of the administrators.
And as you have been able to learn, ACLs are an elegant way to handle the file permissions. Next week I will end up this article with other stuff that you can perform with ACLs.
No comments:
Post a Comment