Using umask instead of explicit mode bits to create files/directories

Johannes Tyve Johannes.Tyve at sgu.se
Wed Nov 15 13:33:44 GMT 2000 

To show the problem:

A directory contains the following acls:

jste at sys3:test> getfacl .

# file: .
# owner: jste
# group: adb
user::rwx
user:ronnie:rwx         #effective:rwx
group::r-x              #effective:r-x
mask:rwx
other:r-x
default:user::rwx
default:user:ronnie:rwx
default:group::r-x
default:mask:rwx
default:other:r-x  

If I create a directory using (umask 0) mkdir("dir_mode",0755); The
result is:

jste at sys3:test> getfacl dir_mode

# file: dir_mode
# owner: jste
# group: adb
user::rwx
user:ronnie:rwx         #effective:r-x
group::r-x              #effective:r-x
mask:r-x
other:r-x
default:user::rwx
default:user:ronnie:rwx
default:group::r-x
default:mask:rwx
default:other:r-x    

If I create a directory using (umask 022) mkdir("dir_umask",0777); The
result is:

jste at sys3:test> getfacl dir_umask

# file: dir_umask
# owner: jste
# group: adb
user::rwx
user:ronnie:rwx         #effective:rwx
group::r-x              #effective:r-x
mask:rwx
other:r-x
default:user::rwx
default:user:ronnie:rwx
default:group::r-x
default:mask:rwx
default:other:r-x  

As you see there a big difference. Using umask the acl is applied but
using mode the mode bits are applied and the acl-mask is changed.

Please reply to samba-technical and my adress since I'm not on the
samba-technical maillist yet.

Regards,
Johannes

David Collier-Brown wrote:
> 
> Johannes Tyve wrote:
> >
> > At our site we use Samba 2.0.7 on Solaris 2.6. Solaris ACLs is used to
> > manage permissions on files and directories.
> >
> > After applying patch 106141 on our system the behavior of mkdir changed.
> > If a directory is created inside a direcory containing default-acl:s the
> > umask will not be applied. To get this behavior in samba we had to
> > modify two functions inside doscalls.c, dos_open() and dos_mkdir(). The
> > functions are modified to use umask insted of mode bits to create
> > files/directories.
> 
>         This sounds odd: the umask is translated into the
>         ACL mask (ie, it's preserved and applied to the
>         acls too[1]), but setting the mode in the call to
>         open (called from sys_open, called from dos_open)
>         is defined as applying, subject to the umask[2].
> 
>         In short, I'm puzzled at there being any change in the
>         system's behavior! Patch 106141 fixes a bug with
>         default acl's and setgid[3], circa 1998-05-06.
> 
>         I do expect that setting ACLS will modify the umask, and
>         therefor override the mode bits in the open call: perhaps
>         this is what you're seeing. If so, it's intentional!
> 
>         Can you do a getfacl of the the directory? If you have
>         default ACLs, they're supposed to modify the permissions
>         on the file...
> 
> --dave
> ---
> [1] from setfacl(1) on Solaris
>       Setting an ACL on a file also modifies the file's permission
>       bits.  The  user   entry  modifies the file owner permission
>       bits. If you don't specify a mask  entry,  the  group  entry
>       modifies  the  file  group  owner  permission  bits.  If you
>       specify a mask entry, the file group owner  permission  bits
>       are  modified based on the intersection (bitwise AND) of the
>       group and mask entries. The other entry modifies  the  other
>       permission bits.
> 
>       If  you use the chmod(1) command to change  the  file  group
>       owner  permissions on a file with ACL entries, both the file
>       group owner permissions and the ACL mask are changed to  the
>       new  permissions. Be aware that the new ACL mask permissions
>       may change the effective permissions  for  additional  users
>       and groups who have ACL entries on the file.
>         [umask has the same effect as chmod, but occurs
>          on file creation --dave]
> [2] from open(2) on Solaris
>                                The  access  permission  bits  (see
>             <sys/stat.h>) of the file mode are set to the value of
>             mode, modified as follows (see creat(2)):  a  bitwise-
>             AND  is  performed  on  the  file-mode  bits  and  the
>             corresponding bits in the complement of the  process's
>             file  mode  creation  mask.  Thus, all bits set in the
>             process's file mode creation mask (see  umask(2))  are
>             correspondingly cleared in the file's permission mask.
> [3] BUG 4042372 - Directories with both the SGID bit set and default
>       ACLs do not inherit the group owner of the parent directory as
>       they do when the default ACLs do not exist.
> 
> --
> David Collier-Brown,  | Always do right. This will gratify some people
> 185 Ellerslie Ave.,   | and astonish the rest.        -- Mark Twain
> Willowdale, Ontario   | //www.oreilly.com/catalog/samba/author.html
> Work: (905) 415-2849 Home: (416) 223-8968 Email: davecb at canada.sun.com

More information about the samba-technical mailing list