Permissions

[David Lee]

Jess Mahan <jessm at cinebase.com> wrote:

> Date: Wed, 17 Mar 1999 11:53:33 -0800
> From: Jess Mahan <jessm at cinebase.com>
> To: samba at samba.org
> Subject: Permissions
> Message-ID: <36F0083D.F213356B at cinebase.com>
> 
>     Here is my question I have a samba share, and am also exporting that share
>      via netatalk, when someone from the Mac side creates a file or folder the
>      permissions of the file are defaulted to that of the directory, yet when a
> user
>     does the same through samba, the permissions are always read only, and do not
>     default to the permissions of the directory, am i crazy? did i miss somthing?

Disclaimer:  I am not a samba expert by any stretch of the imagination.
But this is an area I have begun to look at: see below.

The UNIX group and permissions applied to new files are applied to each
"share", governed by parameters in the "smb.conf" file such as: 
   create mask
   directory mask
   force group

and other similar things.  The permissions on various directories within
that share, assuming they are wide enough to allow file creation, seem to
be irrelevant, with the exception of setgid on the directory (aka "chmod
g+s") which makes the file's group match that of the directory rather than
the user's primary group.  This is UNIX convention:  default file modes
are govered by the umask, not the containing directory. 

Although I am a samba beginner, this has come sharply to our attention
as we consider deploying samba in a much larger environment (14,000 users
and 1,000 groups) with many differing (and justifiable!) user requirements
for individual directories.

As far as I can see (please correct me!) it seems impossible to say "in
directory-A I want new files to have group-1 and permission ABC, but in
directory-B I want group-2 and permissions XYZ".

Such control is applied at the "share" level, but individual management of
14,000 shares seems not feasible.  We would use the "[homes]" share, which
is defined singly and easily;  this is automatically cloned as user
requests come in.  Thus all users get the same default umask etc, which
applies to all their directories and files.  (Again, someone please
correct me if this is wrong.)

I am drafting a proposal to extend samba to allow user control of default
values for permissions, group-owner etc., which I hope to send soon to the
Samba team and a few other folk for comment. 

Hope that (a) is reasonably accurate (b) helps.

-- 

:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  Phone:    +44 191 374 2882 (ddi)         South Road            :
:  Fax:      +44 191 374 7759               Durham                :
:  Internet: T.D.Lee at durham.ac.uk           U.K.                  :