This answer works on Debian (tested on lenny and squeeze). After investigation, it seems to work only thanks to a Debian patch; users of other distributions such as Ubuntu may be out of luck.
You can use mount --bind
. Mount the “real” filesystem under a directory that's not publicly accessible. Make a read-only bind mount that's more widely accessible. Make a read-write bind mount for the part you want to expose with read-write access.
mkdir /media/hidden /media/hidden/sdz99
chmod 700 /media/hidden
mount /dev/sdz99 /media/hidden/sdz99
mount -o bind,ro /media/hidden/sdz99/world-readable /media/world-readable
mount -o bind /media/hidden/sdz99/world-writable /media/world-writable
In your use case, I think you can do:
mkdir /var/smb/hidden
mv /var/smb/snapshot /var/smb/hidden
mkdir /var/smb/snapshot
chmod 700 /var/smb/hidden
chmod 755 /var/smb/hidden/snapshot
mount -o bind,ro /var/smb/hidden/snapshot /var/smb/hidden/snapshot
I.e. put the real snapshot
directory under a restricted directory, but give snapshot
read permissions for everyone. It won't be directly accessible because its parent has restricted access. Bind-mount it read-only in an accessible location, so that everyone can read it through that path.
(Read-only bind mounts only became possible several years after bind mounts were introduced, so you might remember a time when they didn't work. I don't know offhand since when they work, but they already worked in Debian lenny (i.e. now oldstable).)
You should set necessary directory permissions.
For directories they are:
- read: permitted to view files and sub-directories in that directory
- write: permitted to create files and sub-directories in that directory
- execute: permitted to enter into a directory.
For files the situation is similar, it's quite obvious, so you can handle it on your own.
Numeric these permissions:
- read - 4
- write - 2
- execute - 1
To edit permissions use chmod
. Usage: chmod xyz <file or directory>
- x - the sum of owner permissions
- y - the sum of owner group permissions
- z - the sum of rest users/groups permissions
Example:
$ chmod -R 664 /home/jack/
jack and jack's group will have read+write access to /home/jack and all it's sub-directories. The rest will have only read access. -R
option here used to recursively set permissions.
Other example:
$ chmod 700 /home/jack/video/
will give jack full access to /home/jack/video
directory. See also: chown
, chgrp
for changing owner and owning group.
Best Answer
Create a read-only view of that directory in a different location. You can do that with bindfs.
Let's say that the directory in question is
/home/confidential/reboot
and that you want to give read-only access to the users in the groupmygroup
. Create a directory/views/mygroup/reboot
which is accessible to that group.Create the read-only view with
bindfs
. The bindfs process must have the permission to read the files and to access the mount point; here you would presumably run it as root.If the files under
/home/confidential/reboot
are not readable by the users inmygroup
and you want to make them so, change the permissions specification to-p a=rX
.To create the read-only view at boot time, add it to
/etc/fstab
: