What evaluates file perms when ACL's are involved?

Jeremy Allison jra at samba.org
Wed Mar 8 02:58:28 GMT 2006

On Tue, Mar 07, 2006 at 09:19:31PM -0500, Michael Lueck wrote:
> Technology:
> ReiserFS or XFS which support ACL's
> Set an ACL on a directory before files are imported from tape, including a 
> default ACL
> Samba shares w/ "inherit acls = yes"
> With Windows clients accessing these files via Samba in a Samba PDC 
> environment, does Samba look to the filesystem / kernel to evaluate the 
> ACL's, or is it involved in the process directly?

Samba only evaluates acls in userspace when it's trying to
decide if a client has the ability to set the "delete on close"
bit to remove a file - this has to be done at open time for Windows,
thus the userspace check. Even if this passes Samba it's still
up to the kernel to decide if that user can delete the file
or not - it's done at close time instead.

ALL checks are done by the kernel, the only time Samba overrides
this are when "inherit owner" is set and when "dos filemode" is
set which allows someone with write access to set the DOS attributes
on a file.

> Is there a logic flowchart somewhere for how Linux evaluates traditional 
> file permissions PLUS having ACL's tossed in to the mix. Seems like lots of 
> options, and hard to begin to guess how it might all calculate out in the 
> end. Basically looking to be able to upon seeing perms / ACL's arrive at 
> the effective rights to an object.

If you're absolutely depending on mode bits being correct it's essential
to stop Samba mapping the DOS attributes into mode bits. Ensure you
have EA's available on the filesystem and set :

map hidden = no
map system = no
map archive = no
store dos attributes = yes

> I am involved as of 4:45 last evening in assisting with a "Help, 11th hour 
> to putting Samba in production and we have file access issues!!!" been 
> there before, just had not had ACL's in the mix. I guess this 
> implementation of Linux is big enough news that it is written up by Novell. 
> Some issues were resolved by getting to the 3.0.21c build today, perms and 
> ACL do behave better there than with 3.0.20b which they had on one server. 
> But I am still looking to understand perms + ACL at a PhD level... leave no 
> room for "maybe".

As I'm employed by Novell, I'd like this to succeed :-). Attached is a
PhD level paper on how Samba deals with ACLs, in OpenOffice format :-).

Good luck ! Let us know how it goes !

-------------- next part --------------
A non-text attachment was scrubbed...
Name: sambaacls.sxi
Type: application/vnd.sun.xml.impress
Size: 37867 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20060307/e62939b0/sambaacls.bin

More information about the samba-technical mailing list