/etc/idmapd.conf

WTF does it do?
  I've exported the webroot of a server, and lan clients (folks who need access) can open without login. Fine.

*But* I want to assign specific user+group to files they write. (pray)

Tried changing ^^^ nobody/nogroup to myuser/mygroup, but files are still nobody/nogroup

Is it possible?

I managed to get latest netatalk to compile and install on my amd64 Ubuntu 14.04 vm, so I don't need the nfs user stuff resolved (remains to be seen if it will install to ppc metal version).

Now I gotta new question, which (I hope) may be a generic unix -y question rather than specific to afp:

Is there a way to force files written to a particular share to have a different group (which the user is a member of), e.g. 'joe/www-data', rather than the user's default group (e.g. 'joe/joe') ?

edit: chmod 2775  (taboo)

If you `chmod g+s` a directory then all newly created files in that directory will inherit the directory's group rather than the primary group of the user who creates the file.

Couple of caveats: This won't change the *owner* ID of the new file, just the group ID.

Also this won't apply to files that are moved or copied, only newly created ones. Which I suspect will make it useless?

I don't believe there's a way to change ownership/group of files that are copied into a directory on the fly - for that you'd have to use something on a cron job/systemd timer or something like that.

It *sounds* like you're tying to make a website's files available for editing or something like that, right? But want to keep the web server reasonably secure, not giving it access to a load of shit outside of web root?

I *believe* you could do something suitable with ACLs but you'd need a recent version of NFS (v4) for that to work and you're on an old-ass Ubuntu. (Also, it sounds fucking complicated).

Personally I'd use a third, unprivileged user with the primary group www-data to edit the files but that might not be practicable in your situation.

Failing that, chmod g+s (look up setgid if you want more info) combined with a job on a timer to take care of any copied/moved files might be the simplest.

*Really* though, it sounds like you're trying to use NFS for what Git is good at. What I'd *really* want to do is set up a git repo on the same machine as the web server to which changes to the website are pushed. Then set up some git hooks on that repo to, when stuff is changed, copy or clone/pull everything into web root and set the correct permissions. This would be neater and less prone to fucking up.


 

>edit: chmod 2775  

Yeah, that's the same as chmod g+s. Same caveat - won't work with copied/moved files.

Just tried it on the afp share, it works for copied files too. Apparently it's an apple [/BSD] default. Kind of gave up on the nfs thing, I never had it (force uid/gid) working on the current dev server anyway. Not gonna install and config kerberos shit just for that  :-(

Yeah, NFS can be more of a pain in the arse than it really should be for something so simple. I had NFS shares set up for a while but it would just randomly flake out. I went back to SSHFS which has always just worked flawlessly for me.

Glad you got it sorted though!

No idea whether speed is a concern, but is SSHFS much slower than SMB or NFS? Due to encryption/decryption, though that might only be an issue with a crap CPU.

Never tried SSHFS (actually, never heard of it), but afp is a lot slower than nfs. Fast enough for generic daily r-w usage, but for e.g. backups I use nfs.

Literally SSH Filesystem. I guess pretty much the same as scp but fully mounted rather than individual copy commands.

I found that the encryption slowed things down with scp and big files, but that was on a system with a weak CPU. Changing the encryption type/strength improved speeds significantly. This was also over the internet - dedicated server to home, but I could max the connection over HTTP.

Ah. Didn't recognize it, I was thinking SS + HFS (for macs). Pretty sure I do use it, to mount the webroot from home (since it doesn't have ftp). Set it up a couple of years ago and forgot/don't think about the network protocol used). Yeah, it is really slow. Good to know you can change that though I doubt I'll ever need to.

It's definitely slower (in *theory* at least, I've not actually noticed it being slower and you can choose to specify very weak encryption), yeah. And uses a userspace driver, which is annoying.

I really wish there were a *simple*, *insecure* (I don't care, this is for home use and behind a NAT, I just want it to be fast) file sharing protocol that used a decent driver. Samba's fucking awful, NFS is (ime) flaky and SSHFS is the closest I've found to something that just works and stays working.

Although, yeah, thinking about it, once the keys are open and verified, which should be a one-time thing on a mounted FS, then it's just a case of hashing which modern CPUs can do essentially for free. So maybe it's not actually any slower (I've never actually tested and I kinda don't know what I'm taking about).

Just checked, the dedicated server is running an Intel Celeron 220 (nearly 9 years old), no wonder it struggles with regular SSH transfers without tweaking the level of encryption.

:D

I got this working in nfs. It actually is pretty simple, you just have to add anonuid=,anongid= to the export line http://manpages.ubuntu.com/manpages/wily/man5/exports.5.html

Oh that's very handy, thanks!

That is handy. Love Linux, hate permissions.

permissions I can deal with, selinux drives me insane.

Amen to that.  I expect Apple to treat their users as if they are Luddites with an instinct for self-harm, but Linux is open source and tinkerable, and the assumption should be that people will tinker with it.  Obliging them to type 'Simon says' before any change can be effected is irritating beardy paranoioa.

The general idea is Simon, and only Simon, says...