The "security mask" parameter

Mohammed_Maati at BIOGEN.COM Mohammed_Maati at BIOGEN.COM
Thu May 10 12:59:04 GMT 2001

I guess that this means that there is no way (in Samba with the parameter
"nt acl support" set to false) to prevent a user from taking off the read
only attribute (from his NT 4 box) of his files if I change them to read
only from the Unix box?
Thanks for your help.


Jeremy Allison <jeremy at> on 05/09/2001 06:51:18 PM

Sent by:  jeremy at

To:   "MCCALL,DON (HP-USA,ex1)" <don_mccall at>
cc:   "'Mohammed_Maati at BIOGEN.COM'" <Mohammed_Maati at BIOGEN.COM>,
      samba at, "'samba-technical at'"
      <samba-technical at>
Subject:  Re: The "security mask" parameter

"MCCALL,DON (HP-USA,ex1)" wrote:
> I agree, Jeremy - it's certainly not something that you could implement
> an NT server - not with DOS modes.
> Now, you COULD make a file readonly via ntacls, and restrict the
> creator/owner from changing those permissions, but I don't think we need
> provide that outside of whatever acl support the underlying OS allows...
> Heck, you can't even do that to a UNIX user....

Actually, after talking with Gerald (who wants it to work
the way it did in 2.0.x), he's pointed out that it is actually
the "restrict acls with mask" parameter I added recently that
is the redundent parameter that should be removed.

If I set the security mask/dir security mask = 0777
and force security mode/force dir security mode = 0
and *always* apply these on ACL set, then we get exactly
the default behaviour we have now (no masks, user gets
exactly what they set in the ACL), but still provide
the capability for an admin to set masks on ACL sets
for user/group and world, without disturbing the create

Not that anyone actually uses these, as this was *completely*
broken in 2.2.0 :-) :-). But this is actually the more
generic solution (that 99.99999% of people will never need
to change :-).


Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.

More information about the samba-technical mailing list