Luke Jaeger
Dabbler
- Joined
- Mar 16, 2016
- Messages
- 43
I have a FreeNAS 9.3 box bound to AD serving Samba shares. Users (students) can log in using their AD credentials and mount their home directories. That works fine.
Inside each student user's home is a dir called "publish". Whatever the student puts in there will be world-readable on the web. This happens by way of an Apache server running inside a jail on the same FreeNAS box. The jail mounts the Samba home share as read-only storage; "www" group has r-x permissions to ~somestudent and ~somestudent/publish; and that all works too (via a script that runs several times a day).
All of the above can be accomplished with straight POSIX permissions. But faculty need read access to student homes as well. If I add o+rx to the permissions, then students will be able to see one another's work, and that won't fly!
I tried adding an ACL for "www" but it didn't work:
setfacl -m g:www:rx::allow ~somestudent/publish
Did I do that wrong? I'm a little fuzzy on setfacl.
A possible added complication is that 'faculty' and 'students' are AD groups, but 'www' is local.
How can I set up ACL's such that:
Inside each student user's home is a dir called "publish". Whatever the student puts in there will be world-readable on the web. This happens by way of an Apache server running inside a jail on the same FreeNAS box. The jail mounts the Samba home share as read-only storage; "www" group has r-x permissions to ~somestudent and ~somestudent/publish; and that all works too (via a script that runs several times a day).
All of the above can be accomplished with straight POSIX permissions. But faculty need read access to student homes as well. If I add o+rx to the permissions, then students will be able to see one another's work, and that won't fly!
I tried adding an ACL for "www" but it didn't work:
setfacl -m g:www:rx::allow ~somestudent/publish
Did I do that wrong? I'm a little fuzzy on setfacl.
A possible added complication is that 'faculty' and 'students' are AD groups, but 'www' is local.
How can I set up ACL's such that:
- somestudent has rwx permissions to their entire home directory
- www has r-x permissions _only_ to root level of ~somestudent, plus entire contents of ~somestudent/publish
- faculty AD group has r-x permissions to entire contents of ~somestudent
- students can NOT see into one another's home directories
Last edited: