diff --git a/README.md b/README.md index 0047951..b11fad1 100644 --- a/README.md +++ b/README.md @@ -101,7 +101,11 @@ sudo ./spravuj_sdileni.sh user-list ```bash sudo ./spravuj_sdileni.sh user-access [username] ``` -Interactively select which shares the user can access. +Interactively select which shares the user can access. This command: +- Adds the user to the `sambashare` group +- Sets proper filesystem permissions (group ownership + read/write) +- Removes single-user restrictions (`force user`) from shares +- Enables multi-user access with proper file ownership **Revoke user access from a share**: ```bash @@ -114,6 +118,21 @@ sudo ./spravuj_sdileni.sh user-delete [username] ``` Optionally removes the system user as well. +### How Permissions Work + +FSA uses a group-based permission system for secure multi-user access: + +1. **sambashare Group**: All Samba users are added to this group +2. **Filesystem Permissions**: Share directories are owned by group `sambashare` with read/write access +3. **SetGID Bit**: Ensures new files inherit the correct group ownership +4. **No Force User**: Multi-user shares don't force a specific user, preserving actual file ownership + +This means: +- ✅ Multiple users can read/write files +- ✅ Files show the actual creator's ownership +- ✅ Proper Unix permissions are maintained +- ✅ No permission denied errors + ## Share Types The script creates different types of shares: diff --git a/spravuj_sdileni.sh b/spravuj_sdileni.sh index b354393..39ac4bb 100755 --- a/spravuj_sdileni.sh +++ b/spravuj_sdileni.sh @@ -229,6 +229,13 @@ EOT echo "Základní konfigurace vytvořena." } +# Funkce pro zajištění existence skupiny sambashare +ensure_sambashare_group() { + if ! getent group sambashare > /dev/null 2>&1; then + groupadd sambashare 2>/dev/null || true + fi +} + # OPRAVENÁ FUNKCE: Vytvoří sdílení se správným formátováním a `force user` create_share() { local share_name="$1" @@ -277,16 +284,30 @@ EOT ;; "disk") local dfree_script=$(create_dfree_script "$share_path") - local PRIMARY_GROUP=$(id -gn "$DETECTED_USER") + + # Zajisti existenci skupiny sambashare + ensure_sambashare_group + + # Přidej detekovaného uživatele do sambashare + if ! groups "$DETECTED_USER" 2>/dev/null | grep -q "sambashare"; then + usermod -a -G sambashare "$DETECTED_USER" 2>/dev/null || true + fi + + # Nastav filesystem permissions + if [ -d "$share_path" ]; then + chown -R :sambashare "$share_path" 2>/dev/null || true + chmod -R g+rw "$share_path" 2>/dev/null || true + chmod g+s "$share_path" 2>/dev/null || true + fi + cat <> "$CONFIG_FILE" [$share_name] path = $share_path - force user = $DETECTED_USER writable = yes guest ok = no valid users = $DETECTED_USER - force group = $PRIMARY_GROUP + force group = sambashare create mask = 0664 directory mask = 0775 dfree command = $dfree_script @@ -754,6 +775,15 @@ configure_user_shares() { check_config_exists + # Zajisti existenci skupiny sambashare + ensure_sambashare_group + + # Přidej uživatele do skupiny sambashare + if ! groups "$username" 2>/dev/null | grep -q "sambashare"; then + echo "Přidávám uživatele '$username' do skupiny 'sambashare'..." + usermod -a -G sambashare "$username" + fi + # Získej seznam sdílení local shares=($(grep -E "^\[.*\]" "$CONFIG_FILE" | grep -v "\[global\]" | sed 's/\[\(.*\)\]/\1/')) @@ -797,7 +827,18 @@ configure_user_shares() { # Přidej uživatele do valid users pro vybraná sdílení for share in "${selected_shares[@]}"; do - echo "Přidávám přístup k sdílení: [$share]" + echo "Nastavuji přístup k sdílení: [$share]" + + # Získej cestu ke sdílení + local share_path=$(grep -A 10 "^\[$share\]" "$CONFIG_FILE" | grep "^ path = " | head -1 | sed 's/^ path = //') + + if [ -n "$share_path" ] && [ -d "$share_path" ]; then + # Nastav filesystem permissions + echo " - Nastavuji filesystem oprávnění pro $share_path" + chown -R :sambashare "$share_path" 2>/dev/null || true + chmod -R g+rw "$share_path" 2>/dev/null || true + chmod g+s "$share_path" 2>/dev/null || true # SetGID bit + fi # Zkontroluj jestli sdílení má valid users if grep -A 10 "^\[$share\]" "$CONFIG_FILE" | grep -q "^ valid users ="; then @@ -808,11 +849,28 @@ configure_user_shares() { sed -i "/^\[$share\]/a\ valid users = $username" "$CONFIG_FILE" fi + # Odstraň force user pokud existuje (pro multi-user přístup) + if grep -A 10 "^\[$share\]" "$CONFIG_FILE" | grep -q "^ force user ="; then + echo " - Odstraňuji 'force user' pro podporu více uživatelů" + sed -i "/^\[$share\]/,/^\[/ s/^ force user = .*$/ \# force user removed for multi-user access/" "$CONFIG_FILE" + fi + + # Nastav force group na sambashare + if grep -A 10 "^\[$share\]" "$CONFIG_FILE" | grep -q "^ force group ="; then + sed -i "/^\[$share\]/,/^\[/ s/^ force group = .*/ force group = sambashare/" "$CONFIG_FILE" + else + sed -i "/^\[$share\]/a\ force group = sambashare" "$CONFIG_FILE" + fi + # Vypni guest ok pokud je zapnutý sed -i "/^\[$share\]/,/^\[/ s/^ guest ok = yes/ guest ok = no/" "$CONFIG_FILE" + + echo " ✅ Přístup nastaven" done - echo "✅ Přístup nastaven pro sdílení: ${selected_shares[*]}" + echo "" + echo "✅ Konfigurace dokončena pro sdílení: ${selected_shares[*]}" + echo "ℹ️ Uživatel '$username' byl přidán do skupiny 'sambashare'" } # Funkce pro odebrání přístupu uživatele ke sdílení