I will answer my own question. If somebody can improve on this answer, or has some questions, then by all means do. This particular problem has bugged me for quite some time now.
What I asked seems not to be possible with POSIX ACLs according to:
Group+rx permission only in directories using ACL as ACLs cannot distinguish between files and folders, when applying inherited rights.
Looking further two possible workarounds were mentioned:
- inotify (which I used here)
- bindfs (if someone tries this, please post)
A workaround with inotifywait on linux:
Folder permissions
As root, do the following:
Create the folder to share:
mkdir fld
Make top-folders group the teachers group. The group should exist and be the teachers primary group.
chown :teach fld
Let the group be inherited by all files/subfolders. This means that the teacher should be able to read/write/delete
chmod g+s fld
Do not allow overwriting/deleting of files by others (like /tmp permissions)
chmod +t fld
Now ACLs will be set to inherit minimal rights in all files/subfolders created in this folder:
setfacl -m u::rwx,g::rwx,o::rwx,d:u::rwx,d:o::--- fld
The top-folder, which should contain all subfolders/files created by students should look like this now:
getfacl fld
# file: fld
# owner: root
# group: teach
# flags: -st
user::rwx
group::rwx
other::rwx
default:user::rwx
default:group::rwx
default:other::---
These permissions alone have some merit. Should the script which follows below not run, then the above folder permissions allow students to create/read//edit/delete their own files and do none that to files of others. The folder should behave normally i.e. it is allowed to see/list all files. The only limitation is that it works only directly in this folder, not in subfolders. This should be enough for simple submissions of multiple files by students.
For all subfolders, created by students the following applies: Students will be lumped within "others", so the important bit is:
default:other::---
This means, that no rights will be bestowed upon "others" to files/folders in this share. The idea is, that folders alone should get rwx in "others", files do not need to change permissions.
inotify-Script: submission_folder.sh
This script should be run by root, the only argument will be this folder, that was just created above. As an example on how to run it:
submission_folder.sh /path/to/fld
The file is executable and has this content:
#!/bin/bash +x
dir=$1
if [[ -z $dir ]];
then
echo "Enter path as argument"
exit
fi
echo "WATCHING: $dir"
# run forever
while true; do
inotifywait -r -q --format %w%f -e create "$dir" | while read f; do
echo "- CREATED: $f"
if [[ -d "${f}" ]] ; then
echo "FOLDER: ${f}, adding read,write,execute permission"
chmod o+rwx "${f}"
stat "${f}"
else
echo "FILE: $f, doing noting"
fi
done
done
As long as the script is running it will update all subfolders so that they get rwx and can therefore be traversed and listed.
caveats:
This was tested locally, not in a samba share yet. I will do this later, but it should work as I intend to not impose any restrictions in the share and let everything be handled by the filesystem
Should folders be created with the mkdir -p folder/subfolder and both do not exist yet, then they will be created so fast, that inotify will not get notified individually and hence not change the folders to rwx. To those folders it is, as if the script was not running. This is not per se a problem, as students will have less rights, not more and no cheating should be possible
Personal notes
I created a ipython-notebook (bash notebook, not a python one) with some tests and utility functions, if someone is interested. It is however partly german, as I was too lazy doing it all in english again.