[Samba] (force) defau­lt security ­mask

?icro MEGAS micromegas at mail333.com
Wed May 22 13:52:36 MDT 2013 

Hello Dale,

thanks for feedback but I already know these lines. When "vfs object = acl_xattr" is used, "inheric acls" automatically is enabled.
"Inherit owner" is not relevant in this context, and "inherit permissions" is also not affectin this issue. I have tested the same share settings on a samba4 server, and there it works as expected without any issue. So my conclusion is, that something is weird in samba 3.5.6 on this context.

Lucas.

Втр 21 Май 2013 21:33:42 +0400, Dale Schroeder  написал:  
  
    For your situation, would some
      combination of the "inherit" parameters shown below work better
      for you than the mode/mask parameters?

      Dale

      inherit acls (S)            
            
This parameter can be used to ensure that if default acls
              exist on parent directories, they are always honored when
              creating a new file or subdirectory in these parent
              directories. The default behavior is to use the unix mode
              specified when creating the directory. Enabling this
              option sets the unix mode to 0777, thus guaranteeing that
              default directory acls are propagated. Note that using the
              VFS modules acl_xattr or acl_tdb which store native
              Windows as meta-data will automatically turn this option
              on for any share for which they are loaded, as they
              require this option to emulate Windows ACLs correctly.            
            
Default: inherit acls = no            
            
              inherit owner (S)              
              
The ownership of new files and directories is normally
                governed by effective uid of the connected user. This
                option allows the Samba administrator to specify that
                the ownership for new files and directories should be
                controlled by the ownership of the parent directory.              
              
Common scenarios where this behavior is useful is in
                implementing drop-boxes where users can create and edit
                files but not delete them and to ensure that newly
                create files in a user's roaming profile directory are
                actually owner by the user.              
              
Default: inherit owner
                    = no            
            
              inherit permissions (S)              
              
 The permissions on new files and directories are
                normally governed by create mask, directory mask, force create mode and force directory mode but the boolean
                inherit permissions parameter overrides this.              
              
New directories inherit the mode of the parent
                directory, including bits such as setgid.              
              
 New files inherit their read/write bits from the
                parent directory. Their execute bits continue to be
                determined by map archive, map hidden and map system as usual.              
              
Note that the setuid bit is never
                set via inheritance (the code explicitly prohibits
                this).              
              
This can be particularly useful on large systems with
                many users, perhaps several thousand, to allow a single
                [homes] share to be used flexibly by each user.              
              
Default: inherit permissions
                    = no

      On 05/20/2013 3:24 PM, ?icro MEGAS wrote:      
      
That was a type error in my previous post, the line in my smb.conf is of course:

read onlyXSSCleaned= No

Вск 19 Май 2013 14:58:39 +0400, ?icro MEGAS  написал:

Hello folks,

Samba 3.5.6 running and I have following share:

[public]
path = /data/public
              read onlyXSSCleanedXSSCleaned= No
              create mask = 0777
              directory mask = 0777
directory security mask = 0750
              vfs object = acl_xattr
              nt acl support = yes
              dos filemode = yes

My filesystem ext4 which is mounted to /data supports acl,user_xattr and setfacl/getfacl works fine.

ls -ld /data/public shows unix mode 0755 with owner=admin and group="Domain Users"

All users have full access to the share \\samba\public and therefore are allowed to create,modify,delete directories and files. My aim is that I want to have a directory called "special" which is in /data/public/special. Only restricted users and groups are allowed full access to this directory, the "Domain Users" should only be able to have read/execute rights, but no write/delete rights on this directory+subdirs.

"/data/public" has no ACL set. Here's an output of my ACL I have set manually with setfacl on this "special" directory. Only user "john" and "doe" and group "foobar" have full access to this "special" directory, and "Domain Users" or other should only have read rights.

root at samba:/data/public# getfacl special

# file: special/
# owner: admin
# group: Domain\040Users
user::rwx
user:john:rwx
user:doe:rwx
group::r-x
group:foobar:rwx
mask::rwx
other::---
default:user::rwx
default:user:john:rwx
default:user:doe:rwx
default:group::r-x
default:group:foobar:rwx
default:mask::rwx
default:other::---

When user "john", "doe" or anyone of group "foobar" creates a new directory inside the special dir, it has following modes:

root at samba:/data/public/special ls -l
drwxrwx-wx+ 2 john  Domain Users 4096 19. Mai 12:43 newdir
==> This corresponds to unix mode 0773.

The ACL mode looks like that:
# file: newdir
# owner: john
# group: Domain\040Users
user::rwx
user:john:rwx
user:doe:rwx
group::rwx
group:foobar:rwx
mask::rwx
other::-wx
default:user::rwx
default:user:john:rwx
default:user:doe:rwx
default:group::r-x
default:group:foobar:rwx
default:mask::rwx
default:other::---
==> This corresponds to ACL security mode 0773.

Where does this strange 0773 come from? I would like to have ACL security mode 0750 on all new directories and files created inside "special" directory. I also have tried to use "force directory security mode = 0750" in my smb.conf but that doesn't help either. I have realized another odd behaviour, too:

when user "john", "doe", or anyone of group "foobar" creates a new directory and DON'T name it, it will be called "New Directory". This directory has following ACLs:

root at samba:/data/public/special# getfacl New\ Directory
# file: New Directory
# owner: john
# group: Domain\040Users
user::rwx
user:john:rwx
user:doe:rwx
group::r-x
group:foobar:rwx
mask::rwx
other::---
default:user::rwx
default:user:john:rwx
default:user:doe:rwx
default:group::r-x
default:group:foobar:rwx
default:mask::rwx
default:other::---

This would be the correct ACL I want to have to, it corresponds to 0750. But why does this be applied only, if a new directory is created through windows and not renamed to something else than the default directory name "New Directory" ? I don't understand that. Please anyone tell me how to set correctly ACL mode 0750 for all the new dirs/files inside my special dir.

Any help appreciated. Thanks a lot in advance.
Lucas.

More information about the samba mailing list