inherit mode (was Where to submit patches?)
David Lee
T.D.Lee at durham.ac.uk
Thu Aug 26 08:43:07 GMT 1999
On Thu, 26 Aug 1999, Jeremy Allison wrote:
> Andy Bakun wrote:
> >
> > When you say "per-directory" I assume that means you set "inherit mode" on the
> > share, and then administrate the modes on the directories in the share
> > individually. I don't like the dot files idea either.
>
> Yes. Dot files are a non-starter :-).
>
> > I've gotten around the lack of inheriting permissions by forcing all my shares
> > to 077x, and then defining groups composed of the people who can write to them,
> > and using the setgid bit on the directories. This gets extremely hairy
> > maintaining all the groups -- thank god my user base is small. It would be nice
> > to have sub directories have permissions different than their parents, which as
> > you know you can't currently do because you can only force modes on the entire
> > share. Obviously, it would not be good to use both inherit mode and force mode
> > on the same share.
>
> Now that brings up an interesting point. What should
> the interaction between the two be ?
>
> My gut feeling is to apply the permissions derived from "inherit"
> first, instead of doing any ANDing with "create mask", then apply
> any "force" modes. That way the force modes still don't cause any
> suprises (ie. they still apply) and the "inherit" modes replace the
> "create mask" AND process on directories with setgid and shares that
> have "inherit" set ?
My implementation of "inherit mode" was very simple (both to explain to
users and also do): at any arbitrary point in a directory tree, the
permissions for new files and directories are simply those of the
immediate parent (files inherit rw bits, dirs inherit all bits (including
setgid, sticky, ...). So imagine a "private", a "group" and a "public"
directory all within a single share (e.g. [homes]): everything created in
them gets private/group/public permissions recursively dowanwards.
Delightfully simple (I believe mathematicians say "elegant").
I can see that there might be case for applying "force mode", to protect a
user against themselves if they do something daft such as set their
[homes] directory to 777 ! But this should be an option.
Thus my original boolean "inherit mode" (overrides all create/force mask
issues) might become "inherit mode = no/yes/force/create". This becomes
more complicated. (See also other message about "inherit mode = setgid"
option!)
I'm a great believer in flexibility. But also in simplicity. My concern
is that squeezing the last couple of percent of flexibility for a few
experts might make it a lot more complicated and potentially error-prone
(a) to implement (b) to adminster (c) to explain to users.
--
: David Lee I.T. Service :
: Systems Programmer Computer Centre :
: University of Durham :
: Phone: +44 191 374 2882 (ddi) South Road :
: Fax: +44 191 374 7759 Durham :
: Internet: T.D.Lee at durham.ac.uk U.K. :
More information about the samba-technical
mailing list