On Mon, 2011-08-08 at 21:32 -0500, Trey Dockendorf wrote:
> I'm setting up a shared web server running Apache. Each web root will
> belong to a department, which has a corresponding Active Directory
> group to give access. So far I've got samba working and such, but am
> having some trouble wrapping my head around the necessary permissions
> to make all this work, especially securely. So far I've found that
> both the POSIX and the ACL permissions must both allow a user to write
> to directory which is proving problematic. Is it better to give the
> web root directories very "loose" permissions and have Samba manage
> who can access the folders?
>
>
> A few options I've come across would have a user's logged in account
> mapped to the "apache" user through samba, using the "force user", but
> that seems like a security risk allowing users to be apache. Another
> option I currently have working is using a default ACL for apache to
> give the web server read of all the files. The problem I have with
> this is some directories require write and some files should have read
> only (like db config files), so again a global permission set doesn't
> seem to work.
>
>
> I'd be very interested in knowing how someone has solved a problem
> like this.
----
mkdir /var/www/html/department_a
chown root:department_a /var/www/html/department_a
chmod g+ws /var/www/html/department_a
smb.conf
[Department A Web]
comment = Department A Web Server
browseable = Yes # your call on this one
writeable = yes
path = /var/www/html/department_a
directory mask = 775
create mask = 664
valid users = @department_a
That should work. If you have spaces in group names (one of the things I
love about Windows), use @"department a"
Craig