Happy new year!

I am installing, for 4 users, a PC dual boot XP + mandriva2008.1 (with last ntfs-3g 2009.11.4).
I want to reach My Documents and Shared Documents independently from XP or Linux
I want each My Documents confidential
I want each user write in the Shared Documents independently from owner

To make it:
XP on ntfs-3g partitions:
for each user move the My Documents from C: to D:
Set each My Documents in "confidential"
move also the Shared Documents from C: to D:
(the BDR is modified according to the move)

Linux on ext3 partition:
for each /home/user make links to the My Documents and the Shared Documents on D:

On file built on XP, for each user
My Documents are with rigth owner, same group, mode 0700 and Shared Documents rigth owner, same group, mode 666
But for file built on Linux, for each user
My Documents are with rigth owner, same group, mode 0644 and Shared Documents rigth owner, same group, mode 644

So, on Linux, major problem is in the Shared Documents, a user X cannot write on a file build by another user!
Minor problem is all user can read in My Documents

I expected same behavior between the 2 OS!
But how do?

Thanks

My UserMapping file built with usermap launched for each user on XP :
[code][500::S-1-5-21-1409082233-606747145-839522115-1003
501::S-1-5-21-1409082233-606747145-839522115-1004
502::S-1-5-21-1409082233-606747145-839522115-1005
503::S-1-5-21-1409082233-606747145-839522115-1006
:500:S-1-5-21-1409082233-606747145-839522115-513
:501:S-1-5-21-1409082233-606747145-839522115-513
:502:S-1-5-21-1409082233-606747145-839522115-513
:503:S-1-5-21-1409082233-606747145-839522115-513
::S-1-5-21-1409082233-606747145-839522115-10000
/code]

My fstab:
[code][# Entry for /dev/sda2 :
UUID=334ab56a-e9b1-11de-8aa2-dd15276bb9ee / ext3 relatime 1 1
# Entry for /dev/sda5 :
UUID=a36e8920-e9b1-11de-9e93-95fd5bb13a1c /home ext3 relatime 1 2
/dev/cdrom /media/cdrom auto umask=0,users,iocharset=utf8,noauto,ro,exec 0 0
/dev/fd0 /media/floppy auto umask=0,users,iocharset=utf8,noauto,exec,flush 0 0
# Entry for /dev/sda3 :
UUID=40A9D9F14DCE15D9 /mnt/win_c ntfs-3g defaults 0 0
# Entry for /dev/sda6 :
UUID=08C7869C23285E01 /mnt/win_d ntfs-3g defaults 0 0
none /proc proc defaults 0 0
# Entry for /dev/sda1 :
UUID=134ed28d-56f1-4af7-b4fb-be16e0e72b4a swap swap defaults 0 0
/code]

Hi,


I guess these are the protections for files created inside "My Documents" and "Shared Documents", not on the directories themselves.

This is because the "umask" on Linux is probably set as 022 for each user. If you set it as zero, files will be created with protection 666 and any user wille be able to overwrite files created by another user (the umask setting is generally located in a startup script such as .bashrc or .profilerc)


Are you sure ? You mentioned 0700 for files created by Windows in "My Documents", this is probably due to permissions to "My Documents" being set as 0700, which means a user cannot open the "My Documents" of another user.
Please check the ownership and permissions of the directories "Shared Documents" and all "My Documents" (if in doubt, post the "ls -ld" displays).

Windows and Linux use much different policies : initial protections for files created by Windows are defined by the parent directory, whereas initial protections for files created by Linux are only controlled by the umask. If you want a more similar policy you may use Posix ACLs, or the inherit option but they could lead to unpleasant side effects, and setting umask as zero could be enough.

You have defined the same representation for different groups. As a consequence, groups cannot be used to differentiate the rights of users. You cannot have the same protection policy if the user-group relations are not the same on both systems. Do you really want your users to be in different Linux groups though in same Windows group ? Unless this is important for you, you should probably force the same default group for each Linux user (option -g of usermod).

Hint : as you have separated data from system, you can mount the Windows system partition as read-only, this will protect the system from unwanted changes.

Regards

Jean-Pierre

Hi Jean-Pierre,

A)

but umask will play on My Documents and on Shared Documents, no?
an in My Documents, there is risk any user writes file built by another!

Nevertheless after change the umask from 0022 to 0 in /etc/bashrc
only file built by root have changement in permissions!!!

in Shared Documents (DocumentsFamille)
ls -ld =777
then ls -l shows permission is linked to user and OS where the file is built
so the major problem is always a file built by user alexandra under Linux is not writable by another user
while not for same user building file under XP
note: XP = file built on XP
Linux = file built on Linux


or in My Document (alexandra user)
ls -ld =700
then ls -l
the minor problem is always a file built by user alexandra under Linux is readable by another user
while is not readable under XP


B)

in fact I am using the default group on XP and Linux
so, you are true, in this case I have to remove group
so the UserMapping file used with the umask=0


C) [quote][Quote:
# Entry for /dev/sda3 :
UUID=40A9D9F14DCE15D9 /mnt/win_c ntfs-3g defaults 0 0

Hint : as you have separated data from system, you can mount the Windows system partition as read-only, this will protect the system from unwanted changes.
/quote]
you are true, but like at installation I used a bash script to move the Shared Documents from C: to D:, I was not able, so now I can add the ro option, it is more safe!
But if I do not mount this Windows system partition with noauto instead of ro, is better, no?

Thanks

Hi,


Yes.

No, because "My Documents" is protected as 700, so only the owner of "My Documents" can enter it (even if inner files are not protected).

This is strange. Logout and login again as a plain user so that /etc/bashrc is executed, and check again (type umask)


Wrong : melissa cannot access alexandraLinux6.txt because she cannot open the parent directory (did she really try to read the file ?).

The default group on XP is unique, whereas on Linux, each user has his own default group. With your UserMapping, all files created on ntfs will appear in the group 500. What I was suggesting is to put all the users in the same group to reduce confusion, but you may want not to do that.

No, keep one group (say 500) and map it to the Windows group (...-513), and define 500 as the default group for users 501, 502 and 503. This was just a suggestion.

Note : your requirements should be satisfied in the current situation, but if you feel the solution is not satisfactory, try using Windows inheritance on Linux, by putting the option inherit in /etc/fstab (then umount and mount again), you may get a result more close to what you expect.

Yes, you may prefer to do so.

Regards

Jean-Pierre

Hi Jean-Pierre,



yes, really strange, impossible to have umask=0 for user
I tried in /etc/bashrc => umask=0 only for root, 0022 for user
in /etc/bashrc and /etc/profile => same results
Nothing about umask in ~/.bashrc and ~/.bash_profile!

Add in /etc/fstab (after return back in /etc/bashrc and /etc/profile)
result: umask always=0022

To find where is written umask,
I launched a rgrep -iFlr umask . > toto 2>&1 on the / partition
...so, at this time the command is always running...
Do you have an idea about where is written the umask for user on mandriva 2008.1?

Thanks

Hi,

In my own /etc/bashrc there is a condition :

This implies 002 for normal users. Apparently the condition is different on your system, as you get 022. Insert an "echo" to check which one is executed.

Try inserting the umask in ~/.bashrc (after the call to /etc/bashrc).

This is not relevant. The umask option in mount does not prevent the normal umask from being applied.

The one in /etc/bashrc is probably the only one. Are you using bash as your default shell ? (check in /etc/passwd).

Also, regarding the users being in different groups, having only one group explicitly defined in UserMapping may be more satisfactory for you :

This way each user will has his/her file appearing with the correct group name. The groups 501, 502 and 503 will not be recognized by Windows, but this does not matter because in your situation the rights for "other" are always the same as the rights for "group". However files created by Windows will appear in group 500.

Regards

Jean-Pierre

Hi Jean-Pierre,

yes, all users and root are using bashrc
So, I put echo like you said in the condition I have also in /etc/bashrc
Sorry for the lost time, you are true: for each user the if is active and the else is only for root
but nevertheless, I am beginning mad...
in the launched Konsole at startup (login=alexandra), echo displays umask=0 but when verifying, umask=0022 !
then making a su on each user, alexandra also then root the echo and the verifying are OK=0000
So, when umask=0000 for each user
in each My Document there are -rw-rw-rw- instead of -rw-r--r--

but in Shared Documents
the alexandra user used at login continues to be strange:
first touch (umask=000) but permissions are bad (-rw-r--r--)
and after su then exit on another user
second alexandra touch is OK (-rw-rw-rw-) (it is OK also for the other users -rw-rw-rw-)

So, resuming, now my requesting are almost OK excepting the strange behavior in the Konsole launched with the account alexandra at login!
Do you have another idea?

Thanks a new time Jean-Pierre

Note: I removed the umask in /etc/fstab
and my UserMapping file is now

with 1001 on Linux

Hi,


So, everybody is in group "famille", but

So 501 is still the default group for william, which means the files he creates are in group 501 not 1001 (similarly for other users) :

and the group william uses a reference derived from the implicit user mapping (last user mapping line), which will not be recognized by Windows. This is probably not a problem, but you may want his files to appear as "william famille", and to do that 1001 has to be his default group. The command to do that is roughly (not tested) :


Now, this has a consequence on the umask setting, because the condition contains the subexpression "`id -gn`" = "`id -un`" which is a test whether the user and the group have the same name. With the proposed group setting "william" is different from "famille" so the other umask would be executed. I would remove this subexpression from the condition to avoid that :



This is unclear to me. Add

at the end of /etc/bashrc so that the user's parameters get displayed.

Regards

Jean-Pierre

Hi Jean-Pierre,

you wrote

but sorry, before read your post I already put my tags in /etc/bashrc with no change on conditions

and in /$HOME/.bashrc setting also the umask to 006= -rw-rw---

(in my mandriva2008.1 /etc/bashrc is launched in /$HOME/.bashrc)

So result lauching Konsole

then making su william, exit, su - william, exit

so typing the last exit involving back to alexandra the umask is now to 0006 while at lauching Konsole it stayed to 022 without the
modification in /$HOME/.bashrc




you are true, there were mistmatch on the groups, so I removed the 50x groups set by default, now I have

and adapted the UserMapping file


So, rnow esuming: with only adding umask=006 in each /$HOME/.bashrc and removed mismatches in groups
results in My Documents

and in Shared Documents


So, side LINUX:
in My Documents
the minor problem do not exist like you said: an user X cannot read file built by user Y because X cannot open the Y parent directory
and in the Shared Documents the major problem dissapears
Just staying maybe tuning side XP to have also -rw-rw--- instead of -rw-rw-rw to avoid the shared files are read and write by the world
I think to make a new group instead of 513 with only same members in the LINUX famille group...but I never do that on Windows...
Maybe another nightmare for me! Do you knows how do?

Thanks Jean-Pierre

Hi,

Congratulations ! your current settings match your requirements !


This has become very complicated, and needless complex. Now everybody is in the same default group, so you need not set the write permission for "other". As a consequence, you may replace all the above by a single umask valid for all situations :


So Konsole changes the umask...

This is wrong : you have multidefined the group 1001, but the line with a group and no user has priority, so it does not really matter. However the correct user mapping is the one you had the day before :


That is an option which I feel useless, and I will not be able to help you much...

Regards

Jean-Pierre

Hi Jean-Pierre,

after some pb, I dropped use of group on XP.
I added also a fifth user with special permissions and not belonging to the family group.

So, like I must give the PC to the family, I post here for communauty, my last requirements and also how I do side XP and Linux
Nevertheless, if you have remarks, I will try to implement them...

Thanks for your help

Kalagani

Requirements:
PC dual boot XP pro + mandriva2008.1 (with last ntfs-3g 2009.11.4)
4 users in a same family group and a fifth guest user
Under each OS:
_the 5 accounts can read or write in their private "My Documents" on a same D: ntfs partition space
the 4 family's accounts can read in the private guest's "My Documents"
_the 4 family's accounts can read or write in a "Shared Documents" on a same D: ntfs partition space
the guest account can only read in "Music sub-folder" on the "Shared Documents" parent.

quickly HOWTO:
XP side:
_for each user move the "My Documents" from C: to D:
_set each "My Documents" in "confidential" for the 4 family's accounts, not for the guest
_move also the "Shared Documents" from C: to D:
(the BDR is modified according to the move)
_ set the permissions for the guest account on the "Shared Documents" parent
a) disable the simple file sharing to display the Security and Sharing tabs (kb307874)
so, using Security (Sécurité) tab,
add the guest account on the "Shared Documents" parent folder
in column Autorize (Autoriser), let default values...
in column Refuse (Refuser), set Write (Ecriture)
now, tune to avoid clear by
using Advanced parameters (Paramêtres avancés)
select the Refuse|guest account|Write (Refuser|guest account|Ecriture) line
then clic Modify (Modifier) button
in column Refuse (Refuser), set Removing sub-folder and file
(Suppression de sous-dossier et fichier) -> OK
then propagate permissions to all sub folders in "Shared Document" by
select the second line
Replace permission entries on all child objects...

b) on all sub-folders except the "Music sub-folder"
remove the propagated default permissions
always using Security tab,
in column Refuse, set
Read and execution (Lecture et exécution)
Display folder (Affichage du contenu du dossier)
Read (Lecture)

_note the SID for the 5 accounts

Linux side:
_for each /home/user make links to the "My Documents" and the "Shared Documents" on D:
_in each ~/.bashrc
change the umask to 002 for the 5 accounts
_on the "Shared Documents", set the rigth permissions to have only read on "Music sub-folder" for the guest
_make a group Family and put in the user's Uid except the guest Uid
_set a .NTFS-3G folder on the D: partition and make the UserMapping file according to Uid, Gid and previously noted SID
_at the end, set the Windows system C: partition to read only in fstab

Used UseMapping file:

500 to 503=Uid users in the family, 504=Guest Uid
Each Uid is followed by respective Windows SID
1001=Gid Famille group followed by the Windows "None" group SID
Last line mandatory for unexpected user

Linux permissions on the "Shared Documents" space folders

Linux permissions on each "My Documents" space folders

Linux links to Windows partition D: (same for each user, ex for marie)


Results on Linux side after built files side XP and side Linux:
on the "Shared Documents" space files

same permissions for files built on XP or Linux side readable, writable for all member in the family, only readable for other according to permissions on "Shared Documents", in fact only readable in"sub-folder Music"
=> requirements OK

on each "My Documents" space folders

permission differences between files built side XP and Linux,
side Linux for the family' members, like already said, an user X cannot read file built by user Y because X cannot open the Y parent directory
(true also side Windows, and also permissions=-rwx------ are better than -rw-rw-r--)
All user can only read the files built by the guest zinvite
=> requirements OK, even if I do not know why -rw------- instead of -rwx------ for marie

extracts from /etc/group, /etc/passwd and /etc/fstab

Hi,

That is a great example !
May I borrow it for the advanced ntfs-3g website ?


Do you mean the following file, created on marie's "My Documents" ?

This is a file created on Windows, so its initial protections are inherited from its parent directories. You should check (on Windows) the permissions on marie's "My Documents" directory whether the "inheritance" flag is set.

Note : a possible reason for this is that the directory was created on Linux. By default the execution is not inherited from directories created on Linux (see viewtopic.php?f=2&t=1294)

Regards

Jean-Pierre

Hi,

yes, you can borrow!
Do you refer to originator?

Else, yes the execution x was missing only for only built files on XP by the marie account

Side XP, when I compared the inherited flag on marie account and a rigth another:
no difference, and in all cases flag on the first line
Inherit from parent the permission entries...
was not selected.

But, I remembered pb I had on XP due to shift from "My Documents" from C: to D:
http://www.informatruc.com/forum/topic30286.html

So, I come back the marie's "My Documents" to the C: partition
then shift to D:,
falled in same annex "confidential " problem described in link above
return to C: then to D:

Finally, after big fright because XP froze at startup during trial
the x is now present on XP built files seen on Linux side


D built file on D: partition
C built file on C partition

During manipulation I saw the flag on
Inherit from parent the permission entries...
was set when "My Documents" was on C: and no set after shift to D:

Also, the permission for the previously file built on Linux

become

after the shifts...but no problem with that

I think this PC is ready to be delivered tomorrow...I hope
So, thanks a new time Jean-Pierre

Hi,


Thank you.


I will of course mention the source... according to what I know and am allowed to disclose (id on the forum, first name, full name...). You can use the PM on this forum for private information.

Regards

Jean-Pierre