s3fs ACL errors

Ricky Nance ricky.nance at weaubleau.k12.mo.us
Sun May 6 22:31:27 MDT 2012

In my testing of s3fs I have came across some issues with the way a new
folder is created and the permissions it gets. I am using abartlet's
master-devel branch with 's3-posix_acls: Handle IDMAP_BOTH by setting an
ACL for both the UID and GID form'.

By default the following users are on a new folder... CREATOR OWNER,
CREATOR GROUP, Administrator, Domain Users, Server Operators. The folder
was created by the Administrator account. It seems odd to me that CREATOR
OWNER and Creator GROUP (in all caps) is wrong... it doesn't follow the
other 'Proper' names.  It does look like 'Domain Users' gets Read &
Execute, List folder contents and Read permissions by default, however,
that may not be a group that everyone in the domain belongs to, it also
leaves out anything on the share that the machine might need to access like
GPO's. It looks like the NTVFS uses the 'Authenicated Users' account
with Read & Execute, List folder contents and Read permissions by default.
Also, NTVFS adds the 'SYSTEM' account by default with Full Control (and all
the rest) for permissions. This had a bad impact when testing GPO's, since
the regular user account didn't have permissions to even read them. This is
not the case for a new file, the permissions for a file are as follows:
Everyone with Read & Execute and Read, Administrator with Full Control,
 Domain Users with Read & Execute and Read, and Server Operators with Full
Control. It also looks like s3fs reads NTVFS ACL's just fine.

Please let me know if you need any more information.


More information about the samba-technical mailing list