On Mon, 2011-08-08 at 21:32 -0500, Trey Dockendorf wrote: > I'm setting up a shared web server running Apache. Each web root will > belong to a department, which has a corresponding Active Directory > group to give access. So far I've got samba working and such, but am > having some trouble wrapping my head around the necessary permissions > to make all this work, especially securely. So far I've found that > both the POSIX and the ACL permissions must both allow a user to write > to directory which is proving problematic. Is it better to give the > web root directories very "loose" permissions and have Samba manage > who can access the folders? > > > A few options I've come across would have a user's logged in account > mapped to the "apache" user through samba, using the "force user", but > that seems like a security risk allowing users to be apache. Another > option I currently have working is using a default ACL for apache to > give the web server read of all the files. The problem I have with > this is some directories require write and some files should have read > only (like db config files), so again a global permission set doesn't > seem to work. > > > I'd be very interested in knowing how someone has solved a problem > like this. ---- mkdir /var/www/html/department_a chown root:department_a /var/www/html/department_a chmod g+ws /var/www/html/department_a smb.conf [Department A Web] comment = Department A Web Server browseable = Yes # your call on this one writeable = yes path = /var/www/html/department_a directory mask = 775 create mask = 664 valid users = @department_a That should work. If you have spaces in group names (one of the things I love about Windows), use @"department a" Craig