inherit mode (was Where to submit patches?)

Wed Aug 25 18:18:30 GMT 1999

Jeremy Allison wrote:

> Well the reason for the setgid bit in conjunction with
> a parameter meaning "inherit" is that I thought the request
> was for this ability on a per-directory granularity, rather
> than a per-share granularity.
>
> I briefly toyed with using a directory setuid bit to mean
> this but rapidly decided this was a *bad* idea :-).
>
> Can anyone who admins Samba on a regular basis comment on
> whether this feature would be needed on a per-directory or
> per-share basis ?

I'd say make it as specific as possible (per-directory), because then you can
apply it to the whole share by:

- making the root directory of the share have the mode you want
- recursively setting all the permissions on all the files in that directory to
the same mode

When you say "per-directory" I assume that means you set "inherit mode" on the
share, and then administrate the modes on the directories in the share
individually.  I don't like the dot files idea either.

I've gotten around the lack of inheriting permissions by forcing all my shares
to 077x, and then defining groups composed of the people who can write to them,
and using the setgid bit on the directories.  This gets extremely hairy
maintaining all the groups -- thank god my user base is small.  It would be nice
to have sub directories have permissions different than their parents, which as
you know you can't currently do because you can only force modes on the entire
share.  Obviously, it would not be good to use both inherit mode and force mode
on the same share.

Jeremy Allison quoted David Lee:
>
> That had also been my first idea, including allowing dot files in
> subdirectories which successively override parents.  But it felt far too
> complicated (one of those gut feelings).  Also, what happens when the same
> object is accessed via different routes, such as with symbolic links?
>
> So I, too, went off the dot-file idea.
>
> > Currently, setting the setgid bit on a directory causes the
> > primary group to be inherited from the directory, not the
> > owner. Our idea was to add (another:-) new parameter on a
> > per-share basis :
> >
> > "inherit permissions"
> >
> > which would be a boolean with the following effect. If this
> > is set on a share and the directory within which the file or
> > directory is being created has the setgid bit set then the
> > permissions of the file or directory are inherited from that
> > of the directory.
> >
> > This would allow feature to be used on a per-directory basis,
> > and would also propagate into created directories.
>
> Sounds very like my "inherit mode"!  (Had you seen its writeup??)
> Briefly, if the share has "inherit mode" in smb.conf then:
> 1. files inherit read/write bits from the directory;
> 2. subdirectories inherit all bits;
> 3. the setgid bit has *no* samba-specific meaning; it is allowed to
>    operate as per its host UNIX system.
> Point (2) gives propagation into subdirectories.  Our proposals differ on
> point (3).  Naturally, I prefer mine...
>
> It has double virtues: (1) it was simple to implement (2) is intuitive to,
> and easy to explain to, users.