[Samba] Samba permissions
Scott Mayo
sgmayo at mail.bloomfield.k12.mo.us
Fri Jul 29 16:49:15 GMT 2005
Scott Mayo wrote:
> Keith Warno wrote:
>
>> * <sgmayo at mail.bloomfield.k12.mo.us> [29/07/2005 1119EDT]:
>>
>>> I am working on my permissions and something does not quite make
>>> sense to me. Here is what I have set.
>>>
>>> /DIR (Unix permissions are 3777)
>>>
>>> Then in samba I have the following
>>>
>>> [dir]
>>> path = /DIR
>>> read only = no
>>> valid users @teach @student
>>> create mask 3660
>>> directory mask 3770
>>>
>>> Then from a windows workstation, I create a new directory inside
>>> 'dir', and call it 'teach'.
>>>
>>> The permissions of 'teach' are 2770. It looks like it should be 3770
>>> to me since the 'directory mask' commands does a bitwise 'AND'.
>>> Anyone know why this is? Maybe it is because of the DOS attributes
>>> or something.
>>
>>
>>
>> You're right about the bitwise AND.
>>
>> But default mode for a new directory is 0777. Observe:
>>
>> kw at pigpen[2]:~$ cd tmp
>> kw at pigpen[2]:~/tmp$ umask 0
>> kw at pigpen[2]:~/tmp$ umask
>> 0000
>> kw at pigpen[2]:~/tmp$ file foodir
>> foodir: cannot open (foodir)
>> kw at pigpen[2]:~/tmp$ mkdir foodir
>> kw at pigpen[2]:~/tmp$ ls -ld foodir
>> drwxrwxrwx 2 kw users 4096 Jul 29 11:59 foodir
>>
>> However, your new directory *inherited* the setgid bit (effectively a
>> bitwise OR); this is simply the behavior of setgid bits on directories.
>> From the man page for the stat() system call (section 2):
>>
>> The set GID bit (S_ISGID) has several special uses: For a
>> directory it indicates that BSD semantics is to be used for
>> that directory: files created there inherit their group ID from
>> the directory, not from the effective gid of the creating
>> process, and directories created there will also get the S_ISGID
>> bit set. For a file that does not have the group execution
>> bit (S_IXGRP) set, it indicates mandatory file/record locking.
>>
>> So, for your case:
>>
>> (3770 & 0777) | 2000 = 2770
>>
>> It is doing exactly what it should be doing. :)
>>
>> Keith
>
>
> Ok, I guess that makes sense after you explained it. I got it to work
> by using both the 'directory mask' and the 'force directory mode'. That
> works but I have no idea why. I also just tried to use the 'force
> directory mode' which is a bitwise 'OR' to see what I would get and here
> are the permissions that I end up with in both cases. I cannot figure
> out where they are coming from.
>
> With both 'directory mask = 3770' and 'force directory mode = 3770' I get:
>
> drwxrws--T DIR (which would be 3770)
>
> If I just use 'force directory mode = 3770', then I get the following
> permissions:
>
> drwxrwsr-t DIR (which would be 3775)
>
> Thanks for any help. I am glad that it works in with using both
> directives, but I just want to understand why. I have been doing a lot
> of reading, and just when I think that I understand how it should
> work...it throws me a curve. :)
>
Actually the first one does make sense I guess, but not the 2nd. Here
is how I understand it.
[(3777 & 0770) | 3770] | 2000 = 3770
I have no ide where the rx permissions come from in the last example
though.
--
Scott Mayo
Technology Coordinator
Bloomfield Schools
PH: 573-568-5669
FA: 573-568-4565
Pager: 800-264-2535 X2549
Duct tape is like the force, it has a light side and a dark side and it
holds the universe together.
More information about the samba
mailing list