inherit mode (was Where to submit patches?)

Thu Aug 26 08:30:01 GMT 1999

On Thu, 26 Aug 1999, Andy Bakun wrote:

> Jeremy Allison wrote:
> 
> > Well the reason for the setgid bit in conjunction with
> > a parameter meaning "inherit" is that I thought the request
> > was for this ability on a per-directory granularity, rather
> > than a per-share granularity.
> >
> > I briefly toyed with using a directory setuid bit to mean
> > this but rapidly decided this was a *bad* idea :-).
> >
> > Can anyone who admins Samba on a regular basis comment on
> > whether this feature would be needed on a per-directory or
> > per-share basis ?
> 
> I'd say make it as specific as possible (per-directory), because then you can
> apply it to the whole share by:
> 
> - making the root directory of the share have the mode you want
> - recursively setting all the permissions on all the files in that directory to
> the same mode
> 
> When you say "per-directory" I assume that means you set "inherit mode" on the
> share, and then administrate the modes on the directories in the share
> individually.  I don't like the dot files idea either.

Let me clarify a possible misunderstanding.  My simple per-share behaviour
(no setgid complication) means that in directories of 700, 750 and 755,
files will be created (respectively) 600, 640 and 644.  All within the one
share.  It is intended first and foremost to be simple to understand then
subject to that, to give as much flexibility as is reasonably possible. 

What would "inherit mode only on setgid" add to this?  That in a simple
750 directory, files are created with traditional "create/force mode"
permissions, but in 750+setgid those files get "inherit mode" permissions.
For a complicated sub-tree, there might be a little improved flexibility
for expert UNIX users. 

Perhaps both are possible:

1. My original suggestion: applies to whole share.  Very easy to explain
   to users.  (In our case, eventually some 14,000 of them...)

2. Jeremy Allison's modification, supported by Andy Bakun, that "inherit
   mode" behaviour only applies when setgid is set.  Potentially more
   flexible, but more difficult to explain to novices, and also potential
   clash of semantics with UNIX setgid behaviour.

So instead of "inherit mode" being a simple boolean, perhaps it could
be a multi-valued switch: no/yes/setgid:
o  "no" (default) would maintain existing behaviour;
o  "yes" would give my simple-to-explain per-share action;
o  "setgid" would give Allison/Bakun "only applies to setgid".

Although our user base is large, the majority of users want easily
understood behaviour.  The majority will not even be aware of UNIX in the
background, let alone the subtle intricacies of "setgid".

Example: we set them a private home directory 711 (not 700: see below). 
Within that we (not they) pre-create a 755 "public_html" directory for
their WWW space. Everything they create is private (files 600, subdirs
711) except within "public_html" (files 644, subdirs 755). 

In the remaining minority (slightly more UNIX-aware), they will usually be
satified with a one-off setting of 750 and 755 for group- and world-
readable directories within the share, inheriting everything created in
them.

I would put in a strong plea for keeping my original, simple, suggestion
available, but would be happy for it to be modified to include a third
option "setgid" as outlined above.

-- 

:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  Phone:    +44 191 374 2882 (ddi)         South Road            :
:  Fax:      +44 191 374 7759               Durham                :
:  Internet: T.D.Lee at durham.ac.uk           U.K.                  :