PAM UMASK not respected on NFS - nfs

I have make directory enabled in /etc/pam.d/common-session with the session optional pam_mkhomedir.so umask=000
I using Samba Winbind to authenticate domain users. So, in smb.conf, i have
template homedir = /nfs/upload/%U
Note: its intentional that home dir is set to 777 permissions, it will be on a NFS mount and need full access for everyone
The problem is
If /nfs is a local directory, the home directory permissions are 777 as expected
If /nfs is an NFS mount, then the directory is created with 700 -- Not sure how to fix this
thank you all

Related

Always permission 777 on mount shared cifs

I have a little problem when I mount a SMB shared folder from a Synology NAS.
I want to mount a shared folder with permissions: git:root 700
But the mounted folder always have permission set to 777 ( even after a chmod 700 without error)
In my /etc/fstab I used this line:
#uid=999 ---> git user
//server/folder /mnt/artifacts cifs username=windowsUser,password=xxxxx,gid=0,uid=999,file_mode=0700,dir_mode=0700,iocharset=utf8 0 0
Do you know why I cannot set my rights to 700 ?
I did a mistake ? Something stupid ?
Thanks in advance for your help ;)
If the remote machine user ID and the local machine user ID do not match, the permissions will default to 777. Mount.cifs doesn't support umask, so instead "noperm" option can be used. This way even if the permissions of the users on the local and remote machines don't match, the user will still be allowed to read and write to the folder, the equivalent of umask=000.
//address/location /mount/location cifs username=username,password=password,noperm,vers=2.0 0 0
a good start is to check out the manpage for CIFS:
$ man mount.cifs
[...]
file_mode=arg
If the server does not support the CIFS Unix extensions this overrides the default file mode.
dir_mode=arg
If the server does not support the CIFS Unix extensions this overrides the default mode for directories.
[...]
nounix
Disable the CIFS Unix Extensions for this mount.
[...]
So since the file_mode (and dir_mode) seem to only work if the server does not support the CIFS Unix extensions, i would start by disabling them (via the nounix option)
Adding nounix worked just fine. For information, the line I have in /etc/fstab is :
//server/share /mnt/folder cifs credentials=/home/yannick/.smbcredentials,iocharset=utf8,sec=ntlm,vers=1.0,uid=1000,gid=1000,file_mode=0644,dir_mode=0755,nounix 0 0
with 1000 being my user id and group id.
Inside .smbcredentials, I have this :
username=<distant login>
password=<distant password>
I try to mount a CIFS share with permissions only for root. Other users should not be able to even list any files.
Therefore I used the following fstab entry:
//192.168.0.100/DRV /mnt/DRV cifs user=user,pass=pass,uid=0,gid=0,nounix,file_mode=0007,dir_mode=0007 0 0
I also tried the noperm parameter.
In detail I created the folder with this permissions:
drwxrwx--- 2 root root 4096 Mai 14 09:09 DRV
After mounting the network share, the folder have:
d------rwx 2 root root 4096 Mai 14 04:50 W
Your problem is a very common one. You are using incorrect tags to be able to change the file permissions of the mounted folder.
You need to add 'umask=', instead of 'file_mode=700' and 'dir_mode=700' as it is using system mount options not CIFS's options.
To do this you can use:
//address/location /mount/location cifs credentials=/location,uid=id,gid=id,umask=700 0 0
This will mount the file share under the set file permissions.
For security I would recommend using a credentials file, which contains the username and password, and must be set as read only.

can't login by ssh aftcher chmod on home folder

I've done a chmod 777 on my home folder, where the .ssh folder is, and now I cannot login.
I've restored permission on all files but still cannot login. Should I change anything in order to be able to login again.
I get this message: Server refused our key
On other servers I can login properly.
Thank you.
ssh rejects key-based logins if permissions allow other people to tamper with your authorized_keys file. You need to check /, /home, /home/yourname, /home/yourname/.ssh and /home/yourname/.ssh/authorized_keys. All of those must not be group or world writeable.
Typically you want the .ssh directory permissions to be 700 (drwx------) and the public key (.pub file) to be 644 (-rw-r--r--). Your private key (id_rsa) should be 600 (-rw-------).
Stolen from: Permissions on private key in .ssh folder?

Samba Permissions Issue

I have samba services (v 4.3.9) set up on a development web server. For simplicity sake, I have a folder "/samba/billfolder" that requires access from the web service AND my samba users. When a samba user creates a file or folder, the permissions are not properly set and the web service cannot access the file / folder. I need a folder that I can create folders and files that will give full permissions to both groups
My smb.conf look like this:
[global]
workgroup = MYDOMAIN.LOCAL
server string = Samba Server %v
netbios name = TestServer
security = user
#============================ Share Definitions ==============================
[Billing]
path=/samba/billfolder
valid users = #alfdevelopers, #www-data
guest ok = no
writeable = yes
browsable = yes
create mask = 0664
force directory mode = 2775
Can someone please offer some suggestions on how to properly do this. The client machine is LinuxMint and the fstab entry looks like this:
//192.168.1.200/Billing /mnt/Billing cifs user=myuser,password=mypassword,rw,iocharset=utf8 0 0
Thanks for any help that can be provided.
Your samba configuration seems correct. File permissions, group permission from the linux filesystem are checked and applied after the inital samba configuration stage.
Create a common group having users from #alpha-developers & www-data say for example #developerswebservices. You can easily add the necessary users to the group using /etc/group file.
developerswebservices:x:xx: user1,user2,www-data
Put users from both the groups as shown above.Go to the working directory of the share i.e Billing
Force the newly created file inside to belong to the group of the parent, i.e Billing,
$sudo chgrp -R developerswebservices Billing
$sudo chmod -R g+s Billing
You can change the permission create mask with the necessary mask bits using the umask command.
test#linuxserver:/$umask 0007
This wil give permission to newly created file to the user test as rw-rw--- for the user test.
Umask allows you to set the default permission bits for a file/directory
creation for a user.
To customize the umask for all users specify the umask bits in the /etc/login.defs file.
Hope this helps ! Thanks.

How to properly give apache access to a website user's /home/websiteuser/html directory?

Setup:
Websites are setup as users in /home/
Website users restricted to home directories as /home/websiteuser/ is
owned by root
Website users are part of the websites group
www-data is part of the websites group
Virtual host points to: /home/websiteuser/html/
/home/websiteuser/html/ is set to -R 755
Files inside /html/ are owned by websiteuser:websites
Website user is used to access website via sftp
Everything works great except apache requires us to recursively chmod 777 the /home/websiteuser/html/files/ directory or images won’t display and the CMS can’t write it’s mysql backups.
The website user owns the files so the sftp access works but do I have to make www-data own the files - or is there a way where sftp login works and apache can still have access as well?
We've seen many questions around this but don’t understand the answers sorry - any help would be much appreciated.
Cheers
We've solved this by making a "websites" group and adding the apache user (www-data) to this group like this (must be done as root - switch to root with $ su root or use sudo in front of the commands like this $ sudo useradd username:
Add a new group - this will be the name of the group used for all websites:
$ addgroup websites
List groups to check it was created
$ getent websites
Add the apache user to the websites-group so apache has access to run the websites
$ usermod -G websites www-data
Check www-data is part of the websites-group:
$ grep '^ websites' /etc/group
Add a new website user (this will be the user used to run the website)
$ useradd username
Give the user a password
$ passwd username
Follow the prompts to add a password
Add website user to websites group
$ usermod -G websites username
Create a new directory for the user to serve websites from:
$ mkdir /home/username
The owner of the website directory must be root or sftp will fail
Make root the owner and group of website user’s home directory:
$ chown root:websites /home/username
Give website user limited access to their home directory:
$ chmod 750 /home/username
Move into the website user’s directory:
$ cd /home/username
Make a web root directory (this is the opublic directory where the website's files will live):
$ mkdir html
Give website user owner:group on web root:
$ chown username:websites html
Change permissions on the html directory:
$ chmod 750 html
Copy all the website's files into the html directory
Recursively set ownership on all files within the web-root
$ chown -R username:ssb-websites html
Recursively set premissions on all files within the web-root (owner and group have read, write, execute permissions):
$ chmod -R 770 html
Recursively set permissions on all files within web-root:
$ chmod 644 $(find . ! -type d)
If having issues, make sure directory permissions are set like this (the top-level website directory /home/username/ must be owned by root or sFTP access won't work):
/home/username | drwxr-x--- | root:websites
/home/username/html | drwxr-x--- | username:websites
/home/username/html/directories/ | drwxrwx--- | username:websites
/home/username/html/files.html | -rw-r--r-- | username:websites
We're designers so this is the way we worked it out, if anyone can see improvements, feel free to edit!

Samba (Cannot Write) issue

I have setup Samba between two linux boxes (Ubuntu Desktop 12.10 and Ubuntu Server 12.04). For some reason I cannot write to my samba share. To me it looks like I have the correct permissions. Below is my smb.conf, the filesystem permissions, and the steps I followed. I definitely have it misconfigured but I cannot find out how. Any help would be appreciated. Craig
Created a user in ubuntu server (craig)
Created a user and password in samba "smbuseradd -a craig" set the password
Mounted the samba share from linux desktop. This seemed to mount just fine
Attempted to write a file and it says that I don't have write permissions
Permissions on the server when viewed from the server "drwxrwxrwx 4 Craig Craig"
Permissions when viewed from ubuntu desktop "drwxr-xr-x 0 root root"
[global]
follow symlinks = yes
wide links = yes
unix extensions = no
workgroup = Ubuntu Precise
security = user
unix password sync = yes
[homes]
comment = Home Directories
browseable = yes
writable=yes
create mask = 0777
directory mask = 0777
guest ok = yes
[share]
comment = Precise File Server
path = /home/craig
browsable = yes
guest ok = yes
read only = no
writable = yes
create mask = 0777
directory mask = 0777
EDIT:
If I open my samba share as root then I can write to the folders. I tried doing a chmod and chgrp but that didn't seem to have any impact. I would prefer not to have to browse/write as root :)
Ok, figured it out. It wasn't in my samba settings. The error was actually in how I was "permanently" mounting my samba share.
I was doing:
//192.168.1.11/craig /home/craig/musicServer cifs username=craig,password=MYPASSWORD 0 0
but I needed
//192.168.1.11/craig /home/craig/musicServer cifs username=craig,password=MYPASSWORD,file_mode=0777,dir_mode=0777 0 0
Adding both file_mode and dir_mode solved it.
The difference in owner printout is probably due to different UID/GID you have on your local and remote machines.
You can use noperm option at mount instead (no need for file_mode or dir_mode). This option turns off the local file permission check (so UID/GID inconsistency will be okay) and assume the remote identity you authenticated at mount. Remote access control is still enforced.