ACL for a chmod on a cifs client to Windows server

David Collier-Brown davecb at sun.com
Thu Jan 10 18:20:19 GMT 2008


Shirish Pargaonkar wrote:
> cifs client, when chmod command is issued, follows what
> SFU/Interix does.  Is this the behaviour that cifs client
> should exhibit (that is how it is implemented currently)?
> 
> The alternative behavior would be that all ACEs are preserved,
> except those for owner, owning group (if present), and
> everyone (those three would be overwritten by the mode bits).
> 
> Regards,
> 
> Shirish
> 
> 
> When doing a chmod on Interix, always the following is done:
> - all ACLs are removed and replaced by 3 new ACLs,
>  one for the windows file owner, one for the group of the
>  file owner and one for Everyone (SSID: S-1-1-0)
> 

Solaris seems to do something different from either...

     If you use chmod to change the file group owner  permissions
     on  a  file with ACL entries, both the file group owner per-
     missions and the ACL mask are changed  to  the  new  permis-
     sions. Be aware that the new ACL mask permissions may change
     the effective permissions for additional  users  and  groups
     who have ACL entries on the file. Use the getfacl(1) command
     to make sure the appropriate permissions are set for all ACL
     entries.

... I tested this, as follows

froggy> touch foo

froggy> chacl joyce rw- foo    # chacl is a script of mine, to mimic chmod

froggy> chacl jet rw- foo

froggy> ls -l foo
-rw-r--r--+  1 davecb   staff          0 Jan 10 13:09 foo

froggy> getfacl foo

# file: foo
# owner: davecb
# group: staff
user::rw-
user:joyce:rw-          #effective:rw-
group::r--              #effective:r--
group:jet:rw-           #effective:rw-
mask:rw-
other:r--

Ok, setfacl worked fine...

froggy> chmod g-r foo
froggy> getfacl foo

# file: foo
# owner: davecb
# group: staff
user::rw-
user:joyce:rw-          #effective:-w-
group::---              #effective:---
group:jet:rw-           #effective:-w-
mask:-w-

Mask changed from rw- to -w-, joyce and jety loat their r permission
because of it. They dn't lose their explicit eprmissions, joust
had them masked out.


--dave
 

 
-- 
David Collier-Brown            | Always do right. This will gratify
Sun Microsystems, Toronto      | some people and astonish the rest
davecb at sun.com                 |                      -- Mark Twain
(800) 555-9786 x56583 cell: (647) 833-9377 home off: (416) 223-5943 


More information about the samba-technical mailing list