Discussion:
[Samba] file permissions with inherit permission + ACL's
Ralf Gross
2007-04-18 20:45:54 UTC
Permalink
Hi,

I have a share (testshare) where different unix groups (testgroup1,
testgroup2) should have access to. But I want that new files are only
created with 660 permissions.

Here are the ACL's of testshare:

# file: testshare
# owner: ralfgro
# group: ve
user::rwx
group::rwx
group:testgroup1:rwx
group:testgroup2:rwx
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:testgroup1:rwx
default:group:testgroup2:rwx
default:mask::rwx
default:other::---

I created a new directory and a new file in this share.

drwxrws---+ 2 ralfgro ve 6 2007-04-18 17:28 testdir
-rwxrwx---+ 1 ralfgro ve 0 2007-04-18 17:28 testfile.txt


# file: testdir
# owner: ralfgro
# group: ve
user::rwx
group::---
group:testgroup1:rwx
group:testgroup2:rwx
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:testgroup1:rwx
default:group:testgroup2:rwx
default:mask::rwx
default:other::---

The permissions of this new directory are fine. But new files should be
created with 660 permissions, not 770.

# file: testfile.txt
# owner: ralfgro
# group: ve
user::rwx
group::---
group:testgroup1:rwx
group:testgroup2:rwx
mask::rwx
other::---



This is the relevant part of smb.conf:

[testshare]
force create mode = 0660
create mask = 0660
force directory mode = 2770
directory security mask = 2770
force directory security mode = 0000
directory mask = 2770
force security mode = 0000
security mask = 0770
inherit acls = yes
inherit permissions = yes
map archive = no
map system = no
...

Some of the options might be needless now, but I needed them as I
used 'force group = ...' instead of 'inherit permissions'.


I already played with the default mask ACL, but then I always ended with no
executable bit on files _and_ directories which denies access to the new
created directories...

Any ideas?

Ralf
Ralf Gross
2007-04-18 21:03:31 UTC
Permalink
"drwxrws---+ 2 ralfgro ve 6 2007-04-18 17:28 testdir"
2770 [drwxrws--] permissions will force inherit at the file level
system, ignoring Samba. Set the directory to 0770 permissions, and new
items would be created with 660 as per smb.conf
I removed the gid bit, but this doesn't change the permissions of new
files. They are still 770.

ls -la testshare
insgesamt 8
drwxrwx---+ 2 ralfgro ve 25 2007-04-18 17:57 .
drwxr-xr-x 5 root root 63 2007-04-18 17:55 ..
-rwxrwx---+ 1 ralfgro ralfgro 0 2007-04-18 17:56 testfile.txt
Other thing is to insure that the main group for the user is the same
for all users.
Hm, the users that access this share are member of many groups and the
main group will not always be the one of this share. But I think this
will be handled by the default ACL's.

Ralf
Carlos Rivera-Jones
2007-04-18 21:04:18 UTC
Permalink
"drwxrws---+ 2 ralfgro ve 6 2007-04-18 17:28 testdir"

2770 [drwxrws--] permissions will force inherit at the file level
system, ignoring Samba. Set the directory to 0770 permissions, and new
items would be created with 660 as per smb.conf

Other thing is to insure that the main group for the user is the same
for all users.

Carlos

-----Original Message-----
From: Ralf Gross
Sent: Wednesday, April 18, 2007 11:45 AM

default:other::---

I created a new directory and a new file in this share.

drwxrws---+ 2 ralfgro ve 6 2007-04-18 17:28 testdir
-rwxrwx---+ 1 ralfgro ve 0 2007-04-18 17:28 testfile.txt


# file: testdir
# owner: ralfgro
# group: ve
user::rwx
group::---
group:testgroup1:rwx
group:testgroup2:rwx
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:testgroup1:rwx
default:group:testgroup2:rwx
default:mask::rwx
default:other::---

The permissions of this new directory are fine. But new files should be
created with 660 permissions, not 770.

# file: testfile.txt
# owner: ralfgro
# group: ve
user::rwx
group::---
group:testgroup1:rwx
group:testgroup2:rwx
mask::rwx
other::---



This is the relevant part of smb.conf:

[testshare]
force create mode = 0660
create mask = 0660
force directory mode = 2770
directory security mask = 2770
force directory security mode = 0000
directory mask = 2770
force security mode = 0000
security mask = 0770
inherit acls = yes
inherit permissions = yes
map archive = no
map system = no
...

Some of the options might be needless now, but I needed them as I used
'force group = ...' instead of 'inherit permissions'.


I already played with the default mask ACL, but then I always ended with
no executable bit on files _and_ directories which denies access to the
new created directories...

Any ideas?

Ralf
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Jay Flory
2007-04-19 00:34:07 UTC
Permalink
Post by Ralf Gross
Hi,
I have a share (testshare) where different unix groups (testgroup1,
testgroup2) should have access to. But I want that new files are only
created with 660 permissions.
# file: testshare
# owner: ralfgro
# group: ve
user::rwx
group::rwx
group:testgroup1:rwx
group:testgroup2:rwx
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:testgroup1:rwx
default:group:testgroup2:rwx
default:mask::rwx
default:other::---
I created a new directory and a new file in this share.
drwxrws---+ 2 ralfgro ve 6 2007-04-18 17:28 testdir
-rwxrwx---+ 1 ralfgro ve 0 2007-04-18 17:28 testfile.txt
# file: testdir
# owner: ralfgro
# group: ve
user::rwx
group::---
group:testgroup1:rwx
group:testgroup2:rwx
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:testgroup1:rwx
default:group:testgroup2:rwx
default:mask::rwx
default:other::---
The permissions of this new directory are fine. But new files should be
created with 660 permissions, not 770.
# file: testfile.txt
# owner: ralfgro
# group: ve
user::rwx
group::---
group:testgroup1:rwx
group:testgroup2:rwx
mask::rwx
other::---
[testshare]
force create mode = 0660
create mask = 0660
force directory mode = 2770
directory security mask = 2770
force directory security mode = 0000
directory mask = 2770
force security mode = 0000
security mask = 0770
inherit acls = yes
inherit permissions = yes
map archive = no
map system = no
...
Some of the options might be needless now, but I needed them as I
used 'force group = ...' instead of 'inherit permissions'.
I already played with the default mask ACL, but then I always ended with no
executable bit on files _and_ directories which denies access to the new
created directories...
Any ideas?
Ralf
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Ralf,

What would happen if you removed the default entries from your directory
ACLs? It looks to me like the default ACLs are being applied from the
directory to the newly created file. I believe that POSIX ACLs do this by
design.

Thanks
Jay
Ralf Gross
2007-04-19 12:53:21 UTC
Permalink
Post by Jay Flory
Post by Ralf Gross
I have a share (testshare) where different unix groups (testgroup1,
testgroup2) should have access to. But I want that new files are only
created with 660 permissions.
# file: testshare
# owner: ralfgro
# group: ve
user::rwx
group::rwx
group:testgroup1:rwx
group:testgroup2:rwx
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:testgroup1:rwx
default:group:testgroup2:rwx
default:mask::rwx
default:other::---
[snip]
I already played with the default mask ACL, but then I always ended with no
executable bit on files _and_ directories which denies access to the new
created directories...
What would happen if you removed the default entries from your directory
ACLs? It looks to me like the default ACLs are being applied from the
directory to the newly created file. I believe that POSIX ACLs do this by
design.
But I need the default directory ACLs to give the 2 groups rights on
all new created files and directories in this share, or am I wrong
about this? The only thing I don't want is the executable bit on
files.

Ralf
Jay Flory
2007-04-20 18:58:43 UTC
Permalink
Post by Ralf Gross
Post by Jay Flory
Post by Ralf Gross
I have a share (testshare) where different unix groups (testgroup1,
testgroup2) should have access to. But I want that new files are only
created with 660 permissions.
# file: testshare
# owner: ralfgro
# group: ve
user::rwx
group::rwx
group:testgroup1:rwx
group:testgroup2:rwx
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:testgroup1:rwx
default:group:testgroup2:rwx
default:mask::rwx
default:other::---
[snip]
I already played with the default mask ACL, but then I always ended
with
no
executable bit on files _and_ directories which denies access to the new
created directories...
What would happen if you removed the default entries from your directory
ACLs? It looks to me like the default ACLs are being applied from the
directory to the newly created file. I believe that POSIX ACLs do this by
design.
But I need the default directory ACLs to give the 2 groups rights on
all new created files and directories in this share, or am I wrong
about this? The only thing I don't want is the executable bit on
files.
Ralf
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Ralf,

I believe that Samba, with the "inherit acls = yes" setting, is designed to
set the permissions on the new subdirectories. The Definitive Guide to
Samba 3 puts it this way "When set to Yes, Samba copies a directory's ACLs
when creating subdirectories within it. The default value of No sets
directory permissions according to the directory mask, force directory mode,
and inherit permissions options instead".

If I am correct then the default ACL entries on your directory is redundant
for new sub directories and interfering when Samba tries to set permissions
on the new files (inherit permissions).

Thanks
Jay
Ralf Gross
2007-04-20 19:37:04 UTC
Permalink
Post by Jay Flory
Post by Ralf Gross
Post by Jay Flory
Post by Ralf Gross
I have a share (testshare) where different unix groups (testgroup1,
testgroup2) should have access to. But I want that new files are only
created with 660 permissions.
# file: testshare
# owner: ralfgro
# group: ve
user::rwx
group::rwx
group:testgroup1:rwx
group:testgroup2:rwx
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:testgroup1:rwx
default:group:testgroup2:rwx
default:mask::rwx
default:other::---
[snip]
I already played with the default mask ACL, but then I always ended
with
no
executable bit on files _and_ directories which denies access to the new
created directories...
What would happen if you removed the default entries from your directory
ACLs? It looks to me like the default ACLs are being applied from the
directory to the newly created file. I believe that POSIX ACLs do this by
design.
But I need the default directory ACLs to give the 2 groups rights on
all new created files and directories in this share, or am I wrong
about this? The only thing I don't want is the executable bit on
files.
I believe that Samba, with the "inherit acls = yes" setting, is designed to
set the permissions on the new subdirectories. The Definitive Guide to
Samba 3 puts it this way "When set to Yes, Samba copies a directory's ACLs
when creating subdirectories within it. The default value of No sets
directory permissions according to the directory mask, force directory mode,
and inherit permissions options instead".
If I am correct then the default ACL entries on your directory is redundant
for new sub directories and interfering when Samba tries to set permissions
on the new files (inherit permissions).
I tried different settings, and it's basicially working with either
'inherit permissions' or 'inherit acls' + correct ACLs. But new files
are still created with the x-bit. I'm beginning to think, that there
is no way to prevent smb from setting this bit if the groups should
get access to new created directories.

My goal was:

- different groups with (maybe different) rights on all
new files/directories
- file should have only 660 permissions (no x-bit)

Ralf

Continue reading on narkive:
Loading...