Community Forum

Eric Mols
Eric Mols
Offline
Resolved
0 votes
Hello,

This is my trick to implement the samba Read List and Write List to the web interface of clear os flexshare

read list
This is a list of users that are given read-only access to a service. If the connecting user is in this list then they will not be given write access, no matter what the read only option is set to. The list can include group names using the syntax described in the invalid users parameter.
This parameter will not work with the security = share in Samba 3.0. This is by design.
Default: read list =
Example: read list = mary, @students

write list
This is a list of users that are given read-write access to a service. If the connecting user is in this list then they will be given write access, no matter what the read only option is set to. The list can include group names using the @group syntax.
Note that if a user is in both the read list and the write list then they will be given write access.
By design, this parameter will not work with the security = share in Samba 3.0.
Default: write list =
Example: write list = admin, root, @staff

it is based on app-flexshare-5.2-10.i386.rpm and app-flexshare-api-5.2-10.i386.rpm

I made changes in the code of

/var/webconfig/htdocs/admin/flexshare.php
and
/var/webconfig/api/Flexshare.class.php

It works on my server ! :)

You need to create a group for the Read List and a group for the users ine the Write List

the language files must be modified to add translations for
WEB_LANG_READ_LIST "Read List"
WEB_LANG_WRITE_LIST "Write List"
FLEXSHARE_LANG_ERRMSG_INVALID_READ_LIST "Invalid Read List"
FLEXSHARE_LANG_ERRMSG_INVALID_WRITE_LIST "Invalid Write List"

this the diff for flexshare.php

100c100
< $flexshare->AddShare($_POST['add_name'], $_POST['add_description'], $_POST['add_group']);
---
> $flexshare->AddShare($_POST['add_name'], $_POST['add_description'], $_POST['add_group'], $_POST['add_rgroup'], $_POST['add_wgroup']);
127a128,129
> $flexshare->SetRGroup($name, $_POST['rgroup']);
> $flexshare->SetWGroup($name, $_POST['wgroup']);
369a372,373
> <td>" . $shares[$index]['RGroup'] . "</td>
> <td>" . $shares[$index]['WGroup'] . "</td>
403a408,409
> WEB_LANG_READ_LIST . "|" .
> WEB_LANG_WRITE_LIST . "|" .
467a474
>
472a480,490
> $add_rgroup = isset($_POST['add_rgroup']) ? $_POST['add_rgroup'] : "";
>
> if (empty($add_rgroup) && in_array(Group::CONSTANT_ALL_USERS_GROUP, $groups))
> $add_rgroup = Group::CONSTANT_ALL_USERS_GROUP;
>
> $add_wgroup = isset($_POST['add_wgroup']) ? $_POST['add_wgroup'] : "";
>
> if (empty($add_wgroup) && in_array(Group::CONSTANT_ALL_USERS_GROUP, $groups))
> $add_wgroup = Group::CONSTANT_ALL_USERS_GROUP;
>
>
488a507,514
> <td class='mytablesubheader' nowrap>" . WEB_LANG_READ_LIST . "</td>
> <td nowrap>" . WebDropDownHash("add_rgroup", $add_rgroup, $owners) . "</td>
> </tr>
> <tr>
> <td class='mytablesubheader' nowrap>" . WEB_LANG_WRITE_LIST . "</td>
> <td nowrap>" . WebDropDownHash("add_wgroup", $add_wgroup, $owners) . "</td>
> </tr>
> <tr>
569a596,631
> $rgroup_select = '';
>
> // Read List
> foreach ($groups as $group) {
> $selected = ($group === $share['ShareRGroup']) ? "selected" : '';
> $rgroup_select .= "<option value='" . $group . "' $selected>" . GROUP_LANG_GROUP . ' - ' . $group . "</option>\n";
> }
>
> foreach ($users as $group) {
> $selected = ($group === $share['ShareRGroup']) ? "selected" : '';
> $rgroup_select .= "<option value='" . $group . "' $selected>" . GROUP_LANG_USER . ' - ' . $group . "</option>\n";
> }
>
> if (empty($groups))
> $rgroup_select = WEB_LANG_GROUP_REQUIRED . " - " . WebUrlJump("groups.php", LOCALE_LANG_CONFIGURE);
> else
> $rgroup_select = "<select name='rgroup'>$rgroup_select</select>";
>
> //Write List
> $wgroup_select = '';
>
> foreach ($groups as $group) {
> $selected = ($group === $share['ShareWGroup']) ? "selected" : '';
> $wgroup_select .= "<option value='" . $group . "' $selected>" . GROUP_LANG_GROUP . ' - ' . $group . "</option>\n";
> }
>
> foreach ($users as $group) {
> $selected = ($group === $share['ShareWGroup']) ? "selected" : '';
> $wgroup_select .= "<option value='" . $group . "' $selected>" . GROUP_LANG_USER . ' - ' . $group . "</option>\n";
> }
>
> if (empty($groups))
> $wgroup_select = WEB_LANG_GROUP_REQUIRED . " - " . WebUrlJump("groups.php", LOCALE_LANG_CONFIGURE);
> else
> $wgroup_select = "<select name='wgroup'>$wgroup_select</select>";
>
585a648,655
> <td class='mytablesubheader' nowrap>" . WEB_LANG_READ_LIST . "</td>
> <td>$rgroup_select</td>
> </tr>
> <tr>
> <td class='mytablesubheader' nowrap>" . WEB_LANG_WRITE_LIST . "</td>
> <td>$wgroup_select</td>
> </tr>
> <tr>


and the diff for Flexshare.class.php


165a166,167
> const REGEX_SHARE_RGROUP = '^[[:space:]]*ShareRGroup[[:space:]]*=[[:space:]]*(.*$)';
> const REGEX_SHARE_WGROUP = '^[[:space:]]*ShareWGroup[[:space:]]*=[[:space:]]*(.*$)';
268a271,274
> } elseif (eregi(self::REGEX_SHARE_RGROUP, $line, $match)) {
> $share['RGroup'] = $match[1];
> } elseif (eregi(self::REGEX_SHARE_WGROUP, $line, $match)) {
> $share['WGroup'] = $match[1];
307a314,315
> * @param string $rgroup read list of the flexshare
> * @param string $wgroup write list of the flexshare
314c322
< function AddShare($name, $description, $group, $internal = false)
---
> function AddShare($name, $description, $group, $rgroup, $wgroup, $internal = false)
329a338,343
> if (! $this->IsValidGroup($rgroup))
> throw new ValidationException(FLEXSHARE_LANG_ERRMSG_INVALID_READ_LIST);
>
> if (! $this->IsValidGroup($wgroup))
> throw new ValidationException(FLEXSHARE_LANG_ERRMSG_INVALID_WRITE_LIST);
>
378a393,394
> " ShareRGroup=$rgroup\n" .
> " ShareWGroup=$wgroup\n" .
1717a1734,1755
>
> // Add Read list
> $group = new Group($share['ShareRGroup']);
>
> if ($group->Exists()) {
> $linestoadd .= "\tread list = @\"%D" . '\\' . trim($share["ShareRGroup"]) . "\"\n";
> } else {
> $user = new User($share['ShareRGroup']);
> if ($user->Exists())
> $linestoadd .= "\tread list = \"%D" . '\\' . trim($share["ShareRGroup"]) . "\"\n";
> }
>
> // Add Write list
> $group = new Group($share['ShareWGroup']);
>
> if ($group->Exists()) {
> $linestoadd .= "\twrite list = @\"%D" . '\\' . trim($share["ShareWGroup"]) . "\"\n";
> } else {
> $user = new User($share['ShareWGroup']);
> if ($user->Exists())
> $linestoadd .= "\twrite list = \"%D" . '\\' . trim($share["ShareWGroup"]) . "\"\n";
> }
2100a2139,2192
> * Sets a flexshare's read list.
> *
> * @param string $name flexshare name
> * @param string $group flexshare group owner
> * @returns void
> * @throws ValidationException, EngineException
> */
>
> function SetRGroup($name, $group)
> {
> if (COMMON_DEBUG_MODE)
> self::Log(COMMON_DEBUG, 'called', __METHOD__, __LINE__);
>
> if (! $this->IsValidGroup($group))
> throw new ValidationException(FLEXSHARE_LANG_ERRMSG_INVALID_GROUP);
>
> if ($this->GetParameter($name, 'ShareRGroup') == $group)
> return;
>
> $this->SetParameter($name, 'ShareRGroup', $group);
> $enabled = 0;
> if ($this->GetParameter($name, 'ShareEnabled'))
> $enabled = (int)$this->GetParameter($name, 'ShareEnabled');
> $this->ToggleShare($name, $enabled, true);
> }
>
> /**
> * Sets a flexshare's write list.
> *
> * @param string $name flexshare name
> * @param string $group flexshare group owner
> * @returns void
> * @throws ValidationException, EngineException
> */
>
> function SetWGroup($name, $group)
> {
> if (COMMON_DEBUG_MODE)
> self::Log(COMMON_DEBUG, 'called', __METHOD__, __LINE__);
>
> if (! $this->IsValidGroup($group))
> throw new ValidationException(FLEXSHARE_LANG_ERRMSG_INVALID_GROUP);
>
> if ($this->GetParameter($name, 'ShareWGroup') == $group)
> return;
>
> $this->SetParameter($name, 'ShareWGroup', $group);
> $enabled = 0;
> if ($this->GetParameter($name, 'ShareEnabled'))
> $enabled = (int)$this->GetParameter($name, 'ShareEnabled');
> $this->ToggleShare($name, $enabled, true);
> }
>
> /**
Wednesday, August 17 2011, 09:46 AM
Share this post:
Responses (24)
  • Accepted Answer

    Sunday, November 18 2012, 05:03 PM - #Permalink
    Resolved
    0 votes
    Will something of this sort make it to 6.3? it looks like this is something that users of flexshares would greatly benefit from.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, May 10 2012, 05:42 PM - #Permalink
    Resolved
    0 votes
    Hello!

    Just wondered if the flexshares improvements suggested here using ACL etc - e.g. Read or Read/Write or No access have been incorporated into Version 6 or if there is a patch/update for 5.2??

    We have a situation where a client using Windows Server had a General share for public documents for all staff however a couple of directories within the share were locked down to only a couple of users - rather than create a new share just for a few people and a few files. The had used ACL to lock down folders within folders.

    So....we would be looking for the ability to do this on the ClearOS system - a directory within a flexshare that is only Read/Write for a few named users however all the other folders would have the allusers group access.

    If its sorted in version 6.x then great however it is a pity that 5.2 can not achieve this sort of ACL ability.

    Can any of the ClearOS dev team confirm the current situation for achieving the above.

    Many thanks,

    Andy
    The reply is currently minimized Show
  • Accepted Answer

    Monday, February 27 2012, 02:43 PM - #Permalink
    Resolved
    0 votes
    + 1
    This functionnality would be appreciated. I've COS running into schools and I've separate shares for students and teachers and some were teachers have write access and studends read access. So this functionnality will be great for these cases.

    Thanks
    The reply is currently minimized Show
  • Accepted Answer

    Kevin
    Kevin
    Offline
    Thursday, February 23 2012, 07:18 PM - #Permalink
    Resolved
    0 votes
    I second the request. None of our customers have requested or use the functionality in Flexshares but all have requested separate read/write/no access permisions.
    The reply is currently minimized Show
  • Accepted Answer

    Jay M
    Jay M
    Offline
    Thursday, February 23 2012, 08:23 AM - #Permalink
    Resolved
    0 votes
    Can we add something like this in COS:

    http://www.clearfoundation.com/media/kunena/attachments/legacy/images/omv.jpg

    It's screen shot of OMV (Open Media Vault), a new contender for FreeNAS & OpenFiler :)
    Attachments:
    The reply is currently minimized Show
  • Accepted Answer

    Jay M
    Jay M
    Offline
    Friday, January 20 2012, 04:02 AM - #Permalink
    Resolved
    0 votes
    Thanks J, it works.

    But can we do that the other way around? Like setting up the folder to read/write to a group in Flexshares and then later add other group as read only using the custom flexshare conf file?

    I try (using your example):

    Set the library_managers group as owner and has read/write access using Flexshares and on the flexshare.custom.conf:


    [library]
    read list = @"%D\library_users"


    But it won't work.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, January 19 2012, 08:04 PM - #Permalink
    Resolved
    0 votes
    That is interesting. I did not know a share name could be used more than once. Does that only work if the parameter is only specified once between the share definitions or can a parameter be specified in both with one taking precedence over the other?
    The reply is currently minimized Show
  • Accepted Answer

    J
    J
    Offline
    Thursday, January 19 2012, 12:06 PM - #Permalink
    Resolved
    0 votes
    I didn't use the patch and decided to go for a conf (non Webconfig solution) for adding additional ACLs for my flexshares.

    I included another conf file in smb.conf just after where it includes the flexshare.conf (In my case, I called my new one flexshare.custom.conf)

    I then specified the already existing samba shares I wanted to add additional options to in that file. For example, I made a share called "Library" which was read only for everyone but then I added the following to my flexshare.custom.conf to allow a group called "library_managers" to write to it
    [library]
    write list = @"%D\library_managers"


    Not as elegant as a webconfig solution but it works and the workload of maintaining an extra conf file is less then maintaining a patch to the webconfig. I was very surprised that the Flexshare stuff lacked such very basic ACL features.
    The reply is currently minimized Show
  • Accepted Answer

    Jay M
    Jay M
    Offline
    Thursday, January 19 2012, 08:56 AM - #Permalink
    Resolved
    0 votes
    Got the same problem. No solution yet?
    The reply is currently minimized Show
  • Accepted Answer

    Ryan
    Ryan
    Offline
    Thursday, December 29 2011, 02:32 PM - #Permalink
    Resolved
    0 votes
    Yip, still no resolution to this on my side.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, December 02 2011, 07:44 PM - #Permalink
    Resolved
    0 votes
    Hello all,
    I tried again to install the patches from Eric Mols but as soon as the patches are set, I cannot edit or remove any flexhshare anymore. I always get the error : flexshare name missing. Does anyone already had this problem ?

    Finally, I just noticed that I'v exactly the same problem has Ryan. Is there a workaround for that ?

    Thanks
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, November 22 2011, 02:55 PM - #Permalink
    Resolved
    0 votes
    If I'm trying to edit a flexshare already created, I'm loosing the configuration a cannot access it anymore :(
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, November 22 2011, 02:54 PM - #Permalink
    Resolved
    0 votes
    Hello all,

    I installed that several times withou any problem but today, after installation, I can't configure any flexshare anymore ...

    I always get the following errors :

    Nov 22 15:48:48 system engine: exception: debug backtrace: Flexshare.class.php (3019): GenerateFileFlexshares
    Nov 22 15:48:48 system engine: exception: debug backtrace: flexshare.php (197): SetFileEnabled
    Nov 22 15:48:48 system engine: exception: error: Group.class.php (409): groupname not specified.
    Nov 22 15:48:48 system engine: exception: debug backtrace: Flexshare.class.php (1738): Exists
    Nov 22 15:48:48 system engine: exception: debug backtrace: Flexshare.class.php (3019): GenerateFileFlexshares
    Nov 22 15:48:48 system engine: exception: debug backtrace: flexshare.php (197): SetFileEnabled
    Nov 22 15:48:48 system engine: exception: error: Flexshare.class.php (3027): groupname not specified.
    Nov 22 15:48:48 system engine: exception: debug backtrace: flexshare.php (197): SetFileEnabled

    I tried to remove the groupanmes in flexshare.conf, tried to create a new one but always same error message .....
    No idea where does this problem comes from ....

    Per advance, I thank you for your help
    The reply is currently minimized Show
  • Accepted Answer

    Ryan
    Ryan
    Offline
    Thursday, August 18 2011, 02:18 PM - #Permalink
    Resolved
    0 votes
    Users can now only see their own Folder but cannot see any Flexshares.
    The reply is currently minimized Show
  • Accepted Answer

    Ryan
    Ryan
    Offline
    Thursday, August 18 2011, 01:30 PM - #Permalink
    Resolved
    0 votes
    there is also a file called /etc/samba/flexshare.conf but it is empty.
    the timestamp on this file gets updated but it remains empty.
    The reply is currently minimized Show
  • Accepted Answer

    Ryan
    Ryan
    Offline
    Thursday, August 18 2011, 01:08 PM - #Permalink
    Resolved
    0 votes
    This is what I have for the new share just created.

    <Share test>
    FileEnabled=0
    FilePermission=4
    FilePublicAccess=
    FileRecycleBin=1
    FileAuditLog=0
    FileBrowseable=1
    FileModified=1313670785
    FileComment=Flexshare - Test
    ShareDescription=Test
    ShareGroup=allusers
    ShareRGroup=charles.xxxx
    ShareWGroup=lizelle.xxxxx
    ShareCreated=1313668822
    ShareModified=1313668822
    ShareEnabled=1
    ShareDir=/var/flexshare/shares/test
    ShareInternal=
    </Share>
    The reply is currently minimized Show
  • Accepted Answer

    Eric Mols
    Eric Mols
    Offline
    Thursday, August 18 2011, 01:01 PM - #Permalink
    Resolved
    0 votes
    ok

    check your /etc/flexshare.conf

    I copy one share of mine as a sample

    <Share compta>
    FileEnabled=1
    FilePermission=4
    FilePublicAccess=
    FileRecycleBin=1
    FileAuditLog=0
    FileBrowseable=1
    FileModified=1312979680
    FileComment=Flexshare - Comptabilite
    ShareDescription=Comptabilite
    ShareGroup=comptables
    ShareRGroup=comptables
    ShareWGroup=comptables
    ShareCreated=1312903354
    ShareModified=1312903354
    ShareEnabled=1
    ShareDir=/var/flexshare/shares/compta
    ShareInternal=
    </Share>


    Please, check if you have

    ShareRGroup=xxxxxx
    ShareWGroup=xxxxxx

    in you share definition.
    The reply is currently minimized Show
  • Accepted Answer

    Ryan
    Ryan
    Offline
    Thursday, August 18 2011, 12:54 PM - #Permalink
    Resolved
    0 votes
    SERVER-smbd shows:

    [2011/08/18 12:10:49.300591, 1] smbd/server.c:240(cleanup_timeout_fn)
    Cleaning up brl and lock database after unclean shutdown
    [2011/08/18 12:11:13.553633, 1] smbd/server.c:267(remove_child_pid)
    Scheduled cleanup of brl and lock database after unclean shutdown
    [2011/08/18 12:11:33.553982, 1] smbd/server.c:240(cleanup_timeout_fn)
    Cleaning up brl and lock database after unclean shutdown
    [2011/08/18 12:49:39.403537, 1] smbd/server.c:267(remove_child_pid)
    Scheduled cleanup of brl and lock database after unclean shutdown
    [2011/08/18 12:49:59.403822, 1] smbd/server.c:240(cleanup_timeout_fn)
    Cleaning up brl and lock database after unclean shutdown
    [2011/08/18 13:17:25.887980, 1] smbd/server.c:267(remove_child_pid)
    Scheduled cleanup of brl and lock database after unclean shutdown
    [2011/08/18 13:17:45.887978, 1] smbd/server.c:240(cleanup_timeout_fn)
    Cleaning up brl and lock database after unclean shutdown
    [2011/08/18 14:23:19.897366, 1] param/loadparm.c:6890(service_ok)
    NOTE: Service profiles is flagged unavailable.
    [2011/08/18 14:24:39.103747, 1] param/loadparm.c:6890(service_ok)
    NOTE: Service profiles is flagged unavailable.
    The reply is currently minimized Show
  • Accepted Answer

    Ryan
    Ryan
    Offline
    Thursday, August 18 2011, 12:47 PM - #Permalink
    Resolved
    0 votes
    Hi Eric,

    /var/log/messages shows nothing for flexshare or group at all.
    The reply is currently minimized Show
  • Accepted Answer

    Eric Mols
    Eric Mols
    Offline
    Thursday, August 18 2011, 12:32 PM - #Permalink
    Resolved
    0 votes
    could you provide a copy of th lines in /var/log/messages ?

    Only the ones for flexshare* and group*

    Tx
    The reply is currently minimized Show
  • Accepted Answer

    Ryan
    Ryan
    Offline
    Thursday, August 18 2011, 12:19 PM - #Permalink
    Resolved
    0 votes
    On ClearOS 5.2 (Updated) we get some errors when trying to Enable or Delete a new Flexsshare after this modification:

    Group name not set.
    Flexshare invalid

    Anyone with this problem?

    Some advice?
    The reply is currently minimized Show
  • Accepted Answer

    Ryan
    Ryan
    Offline
    Wednesday, August 17 2011, 05:15 PM - #Permalink
    Resolved
    0 votes
    Hi Eric,

    This is great- Thanks!

    Is there a way to make this modification allow multiple selections in the drop down menus so that one can select multiple individual users or groups per Read and Write list?

    Possibly even a No-Access List to block a specific user / group.

    Something like that will make the Flexshare system much better.
    The reply is currently minimized Show
  • Accepted Answer

    Eric Mols
    Eric Mols
    Offline
    Wednesday, August 17 2011, 11:32 AM - #Permalink
    Resolved
    0 votes
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, August 17 2011, 11:23 AM - #Permalink
    Resolved
    0 votes
    Eric, thanks for that it looks great!

    As a suggestion could you provide the changes as a unified diff so that users can just apply the patch? :)

    For example:-
    diff -uNrp /var/webconfig/htdocs/admin/flexshare.php /var/webconfig/htdocs/admin/flexshare.php.NEW  > flexshare.php.diff
    diff -uNrp /var/webconfig/api/Flexshare.class.php /var/webconfig/api/Flexshare.class.php.NEW > Flexshare.class.php.diff


    People can then apply the patches by running
    cd /var/webconfig/htdocs/admin/
    patch < /var/tmp/flexshare.php.diff
    cd /var/webconfig/api/
    patch < /var/tmp/Flexshare.class.php.diff
    The reply is currently minimized Show
Your Reply