"Inherit Permissions" request for comments

David Lee T.D.Lee at durham.ac.uk
Wed May 31 14:22:35 GMT 2000


On Wed, 31 May 2000, David Collier-Brown wrote:

> David Lee wrote:
> [...]
> > 
> > In another message, just posted, I suggest a new:
> >   inherit group owner = { yes | no }
> 
> 	Which avoids going down the inherit/force/security path at all,
> 	and is itself simple. Cool!
> 
> 	[A challenge to the group: explain the relationship 
> 	between the inherit/whatever options in one paragraph.
> 	I can't, which means I can't explain it to others.]

Let me rush in where angels fear to tread.  Yes, I know it is four
paragraphs but the important aspect is the structure. 

+-----------------
| Files and directories newly created by a Samba client require owner,
| group-owner and permissions to be assigned on the Samba server.
| Different environments (Samba installations and sites) might have
| differing preferences, and different Samba platforms might have
| differing capabilities and restrictions.  So Samba gives a choice:
| 1. Under the "inherit" model, attributes are inherited from the parent
|    directory.
| 2. Under the "force" model, which despite the name "force" is subservient
|    to "inherit", the Samba administrator sets these attributes.
| 3. In the absence of either, options such as "create mask" and
|    "directory mask" come into play.
| These models are described in the paragraphs below.
| 
| 
| 1. With "inherit permissions" new files inherit read/write bits, and
| new directories inherit almost all bits from their parent directory.
| With "inherit group owner", the new file or directory takes its group
| ownership from the parent directory, rather than from the Samba process.
| The owner either defaults or can be overridden by "force user".
| 
| 
| 2. The "force create mode", "force directory mode" and "force group" 
| options allow the Samba administrator to force the UNIX permission bits
| and group owner of new files and directories.  Likewise "force user"
| (which, unlike the others cannot be overridden by an "inherit") can
| force ownership.  <The details of these, and other, "force" options are
| too complex to explain in this single paragraph!>
| 
| 
| 3. The default behaviour is to take owner and group-owner from the Samba
| process and the permissions according to "create mask" and "directory
| mask" parameters.
+-----------------

How's that for starters?

Note that the above concentrates on principles and relationship among the
various models, rather than detail.  (I hope that the principles, and any
details, are correct(!), but at this stage of the sketch the dotted-i and
crossed-t are less important than the principle of structuring the "big
picture".) 

-- 

:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  http://www.dur.ac.uk/~dcl0tdl            South Road            :
:                                           Durham                :
:  Phone: +44 191 374 2882                  U.K.                  :



More information about the samba-technical mailing list