[Samba] Samba + ACLs: Can’t add group write permissions

Quintus quintus at quintilianus.eu
Thu Mar 28 02:40:06 MDT 2013 

Am Tue, 26 Mar 2013 19:38:48 +0100
schrieb steve <steve at steve-ss.com>:
> > WTF? Where did the write access for the group go?
> Hi Marvin

Hi Steve,

> Just a thought but I found out the hard way that when there are acl's 
> set, e.g. in your file called test2, the -rw-r----- bit of the
> listing bit bears little resemblance to what the actual permissions
> are. Have you actually checked to see that the file test2 really
> isn't group writeable? Maybe worth a quick test.

I just tested it with another user and no, the file is really not
group-writable. But I found another really mysterious behaviour... This
time I’ve connected as user "steffi" who is in the "share" group as
well:

% sudo mount //avalon/share -t cifs -o user=steffi,gid=quintus /mnt

I tried to create a file now as this user:

----------------------------------------------------
(1067) [9:28:47 quintus at hades] /mnt
% ls -ahl
total 4.0K
drwxrws---+  2 root    quintus    0 Mar 28 09:28 .
drwxr-xr-x  20 root    root    4.0K Mar 19 17:32 ..
-rw-rw----+  1 quintus quintus    0 Mar 26 14:54 test
-rw-r-----+  1 quintus quintus    0 Mar 26 15:04 test2
(1068) [9:29:29 quintus at hades] /mnt
% touch test3
touch: cannot touch ‘test3’: Permission denied
(1069) [9:29:34 quintus at hades] /mnt
% ls -ahl
total 4.0K
drwxrws---+  2 root    quintus    0 Mar 28 09:29 .
drwxr-xr-x  20 root    root    4.0K Mar 19 17:32 ..
-rw-rw----+  1 quintus quintus    0 Mar 26 14:54 test
-rw-r-----+  1 quintus quintus    0 Mar 26 15:04 test2
-rw-r-----+  1    1002 quintus    0 Mar 28 09:29 test3
----------------------------------------------------

That is, I get a "permission denied" on the "touch" command, but the
file is there nevertheless...? How is this possible at all? Even worse,
I cannot write to the file I just created:

(1070) [9:29:35 quintus at hades] /mnt
% echo foo > test3
zsh: permission denied: test3

And no, the file is really empty (I’ve chceked it on the server via
SSH). Writing to the files owned by someone else, but still in the
"share" group doesn’t work either:

(1071) [9:31:19 quintus at hades] /mnt
% echo foo > test2
zsh: permission denied: test2

And again, this file really is empty.

On the server, the permissions are reported like this:

----------------------------------------------------
(433) [9:33:34 quintus at avalon] /srv/cifs/share
% ls -ahl
insgesamt 8,0K
drwxrws---+ 2 root    share 4,0K 28. Mär 09:29 .
drwxr-xr-x  7 root    root  4,0K 26. Mär 14:19 ..
-rw-rw----+ 1 quintus share    0 26. Mär 14:54 test
-rw-r-----+ 1 quintus share    0 26. Mär 15:04 test2
-rw-r-----+ 1 steffi  share    0 28. Mär 09:29 test3
(434) [9:33:41 quintus at avalon] /srv/cifs/share
% getfacl test3
# file: test3
# owner: steffi
# group: share
user::rw-
group::rwx			#effective:r--
group:share:rwx			#effective:r--
mask::r--
other::---
----------------------------------------------------

And I cannot write to the "test3" as user "quintus" on the server, but
as user "steffi" it works (again, through SSH):

----------------------------------------------------
(436) [9:35:32 quintus at avalon] /srv/cifs/share
% echo foo > test3 
zsh: permission denied: test3
(437) [9:36:55 quintus at avalon] /srv/cifs/share
% ls -ahl
insgesamt 8,0K
drwxrws---+ 2 root    share 4,0K 28. Mär 09:29 .
drwxr-xr-x  7 root    root  4,0K 26. Mär 14:19 ..
-rw-rw----+ 1 quintus share    0 26. Mär 14:54 test
-rw-r-----+ 1 quintus share    0 26. Mär 15:04 test2
-rw-r-----+ 1 steffi  share    0 28. Mär 09:29 test3
(438) [9:36:57 quintus at avalon] /srv/cifs/share
% sudo su -s /bin/zsh - steffi
[sudo] password for quintus: 
(1) [9:37:31 steffi at avalon] /
% cd /srv/cifs/share
(2) [9:37:35 steffi at avalon] /srv/cifs/share
% echo foo > test3
(3) [9:37:38 steffi at avalon] /srv/cifs/share
% ls -ahl
insgesamt 12K
drwxrws---+ 2 root    share 4,0K 28. Mär 09:29 .
drwxr-xr-x  7 root    root  4,0K 26. Mär 14:19 ..
-rw-rw----+ 1 quintus share    0 26. Mär 14:54 test
-rw-r-----+ 1 quintus share    0 26. Mär 15:04 test2
-rw-r-----+ 1 steffi  share    4 28. Mär 09:37 test3
(4) [9:37:39 steffi at avalon] /srv/cifs/share
% cat test3
foo
----------------------------------------------------

> Cheers,
> Steve

Any idea?

Vale,
Marvin

-- 
Blog: http://pegasus-alpha.eu/blog

ASCII-Ribbon-Kampagne        ()   | ASCII Ribbon Campaign        ()
- Stoppt HTML-E-Mail         /\   | - Against HTML E-Mail        /\
- Stoppt proprietäre Anhänge      | - Against proprietary attachments
www.asciiribbon.org/index-de.html | www.asciiribbon.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20130328/84b5a645/attachment.pgp>

More information about the samba mailing list