Solaris ACLs, the mask parameter on directories disappears

David Pullman dpullman at cme.nist.gov
Mon Feb 23 20:53:13 GMT 2004 

Hello,

I'm trying a repost of this question to the technical list, as it is 
very concerning to us in testing this release for production.  There is 
no evidence of trouble, but the concern that came up was that if the 
acls are being manipulated incorrectly, then there could be 
interoperability problems with NFS access to the shares involved or 
other applications.

We've used acls on three Solaris production servers for a few years, 
albeit in the limited mode that was possible in 2.2.x.  With 3.0 we are 
hoping to get more utilization of acls, but it is important to know if 
there is a low level issue here.

Thanks very much.

--
David Pullman
NIST Gaithersburg


-------- Original Message --------
Subject: Solaris ACLs, the mask parameter on directories disappears
Date: Tue, 17 Feb 2004 17:09:53 -0500
From: David Pullman <dpullman at cme.nist.gov>
Organization: MEL/OMP/MELSA
To: samba at lists.samba.org

I'm testing SAMBA 3.0.2 on a Solaris 9 box with a UFS file system.

The ACLs appear to be working well with the security tab, etc.  However,
once a permission setting has been made from a security tab on a
directory, the mask and default mask parameters no longer appear in a
getfacl.  In addition, the #effective permission is incorrect.  Has
anyone seen this?  I searched the archives and I can't seem to find an
mention of it.

The smb.conf is quite simple, its a test machine.  I can reply with it
if necessary.

Here's an example:

I've made the directory and shared it:
# getfacl /samba/export/testshare2

# file: /samba/export/testshare2
# owner: dpullman
# group: melsaunx
user::rwx
group::r-x              #effective:r-x
mask:r-x
other:r-x
default:user::rwx
default:group::r-x
default:mask:r-x
default:other:r-x

Now I've gone to the share and changed the group and default group perms
from an XP security tab:
# getfacl /samba/export/testshare2

# file: /samba/export/testshare2
# owner: dpullman
# group: melsaunx
user::rwx
group::rwx              #effective:r--
other:r-x
default:user::rwx
default:group::rwx
default:other:r-x

Note that mask and default:mask are gone.  The perms for group and the
default group work as listed, but not as the #effective entry shows,
which is how it normally does.

This is a case of everything is working, but it looks funny under the
covers :)  Makes one a bit nervous.

--
David Pullman
NIST - Gaithersburg

More information about the samba-technical mailing list