Comment 37 for bug 212098

Revision history for this message
Phoenix (phoenix-dominion) wrote :

Nautilus runs as "me" and needs to write the share data into the following place:

drwxrwx--T 2 root sambashare 4096 2008-07-28 21:05 /var/lib/samba/usershares

But this place is only writable to "sambashare" members, which I do not belong until I relogin.

It does not matter if you have some application running as 'me' to know that I am authorized to write there, it would require something that has the priviledge to write into this place, which is either a suid command or a daemon.

Suid commands are evil and should be avoided, so a little process would be required that has the persmissions to write there and handle the authorization.

The question about the process is, if it is an advisable way, as you don't want to have for every little thing a running process lying around and wasting your precious resources.

The very best way would be, if linux could handle group memberships dynamically, but as Chris stated this is a very hard way to take, as it would require to change things the way they worked for decades - but it would be a very nice feature, that would be quite handy not only for samba but possibly other things!

Another way would be extended attributes, which would allow the adm AND the sambashare members to write to the directory, but you might want to get some further input before you decide that you want to go fore extended attributes, as they are for example not handled by some applications like tar and probably nautilus and may quickly become as messy as the file permissions fiasko of this other OS mentioned in bug #1.

From my viewpoint you have 3 basic choices:

1: Inform the user, like you do that Firefox needs restarting and reboot due to kernel updates, that he has to logout as he got a new group membership, this way, the users knows that to do and has not to handly cryptic error messages until he finds out by accident to do a re-login.
2: Do some framework, daemon, suid, extended attributes, which may give you some work, maybe more than expected and lead into unwanted troubles.
3: Implement dynamic group memberships - as mentioned, this is the hardest possible way, as it requires probably fundamental changes (I dunno).

* Imagine: You would have a Client Desktop and a Linux Fileserver, and you need access to something, but you don't have the access rights - so you call your sysadmin for the permissions to access that file, that mailfolder or whatever, of course the sysadmin would check if you are entitled to get access, but for the examples sake would give you the permissions by adding you to the group 'X' to access to precious files/mail/whatever. Now, what today is well known is that the user has to close all running applications and re-login to make the groupmembership happening. If linux would overcome this, it would be quite something!