more thoughts on Samba permissions manipulation

Cole, Timothy D. timothy_d_cole at md.northgrum.com
Fri Jun 18 16:29:00 GMT 1999


I've been thinking about setting permissions via Samba now, and I'm
convinced that 'create mask' was not originally intended (looking at the
implementation) to be anything more than a umask.  It really should not be
used to prevent users from changing the premissions on existing files (as is
the behavor in 2.0.4), since the umask is always going to be more paranoid
than the least paranoid permissions the users would want to set (it had
better be, in fact, if you care about security), and that's not the intended
purpose of the umask anyway.

Jeremy did suggest a 'security mask' parameter that would restrict the
permissions a user could set, I think entirely independently of the umask.
Which is probably the right thing to do.

Only thing is, now I'm having a hard time coming up with a rationale for
even having a 'security mask'-like parameter.  It's probably related to the
rationale behind the 'force mode' parameter, which I can't justify to myself
right now either.  Obviously someone wanted or needed it, though; I'm kind
of curious who uses 'force mode', and for what...



More information about the samba-technical mailing list