ACL + excel = problems with permissions

Tue Jun 20 11:37:36 GMT 2006

On Mon, Jun 19, 2006 at 06:47:25PM +0200, sylvain.david at etranges-libellules.fr wrote:
> 
> Hi I have the same problem, and I hope you'll have the time to answer me.
> 
> My system is :
> Debian Sarge (stable) + samba Version 3.0.14a-Debian + ext3 acl enabled
> my smb.conf is joined in this email
> my client are under windows XP SP1, windows XP SP2, windows 2000 SP4.
> They all use Office Xp 2003 (I'm lucky, they didn't have a lot of 
> version of office...)
> 
> Description of the problem : Office modify ACLs on saving file and put 
> read only.
> 
> - ACL status before : getfacal  file01.xls :
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> group::---
> group:Projet_01:rwx
> mask::rwx
> other::---
> 
> - user A, wich is in Projet_01 group, open file01.xls with excel 2003 
> and press ctrl S to save his modification. he get an error message : 
> share violation : file is stored, but re-open read only
> - ACL status : getfacl file01.xls :
> # owner: userA
> # group: root
> user::r--
> user:root:rwx
> user:reunion:rwx
> group::---
> group:Projet_01:rwx
> mask::rwx
> other::---
> 
> I noticed that :
> - user can through the security properties of the file get back the good 
> rights rwx. but... my users find that boring and they're right.
> - if user have explicit rwx right on the file, even if he's not the 
> owner, there is no problem.
> - this doesn't appened on windows 2000 server
> - force create mode or create mask seems to change nothing.
> 
> So, this appened when a user modify a file that he's not the owner AND 
> he don't have explicit rights AND with a microsoft office application.
> 
> I think about a few solution, but i find all of them "dirty". Here they 
> are :
> 1) using open office.
>  -> If I could, I surely do it, but, I need time to convert 60 people 
> loving excel and word to calc and writer. Even if they are all 
> programmers, trying to change habits is really hard. We exchange 
> documentation with other society which use ... ... excel, so for 
> compatibility reasons, we need excel. So even if it's a good solution, 
> it's hard to choose this solution. And... what if i noticed this problem 
> with another application ? This solution doesn't solve the problem at 
> the server side, but only in client side...
> 
> 2) using a file monitor.
> -> using gamin or any other file monitor to watch .xls and .doc file. 
> if a file is touched then apply the good rights (with the default right 
> of the parent directory...) This solution is dirty because my server 
> contain, a very very very lot of file, and I think it's a bottleneck 
> solution parsing all directories all the time. And, in real situation, 
> the error message of excel will appear anyway, because of the timing.
> 
> 3) hack samba code and add a trigger on write file, to execute a script 
> wich force to set the good ACL?
> -> probably a bottleneck solution... but... the best for me... but, I 
> don't have the level to code it.
> 
> 4) use the "force user" argument in smb.conf
> -> it works. but... loosing the owner notion of the whole file system is 
> a desperate solution.
> 
> 5) use explicit user rights on every files.
> -> it works too. but it remove all the magic of using group. And for now 
> I have "only" 60 users... and what will I do with 200 ?
> 
> 6) is there any office patch or registry key or office config, or voodoo 
> danse to do in order to repair the special way of save of microsoft office ?
> -> i found nothing on my friend google.

I believe this is what you're looking for:

https://bugzilla.samba.org/show_bug.cgi?id=2346

This was fixed in (I believe) Samba 3.0.20.  Upgrade to the latest Samba
and your problems should go away.  If you want to stay with 3.0.14a, the
patch on that page works for that version also.  Unfortunately once you
upgrade or patch you need to reset the permissions on all of the Excel
files that people have opened to give them write access back.

Ed Plese