Create mode, create mask etc...

thwartedefforts at thwartedefforts at
Fri Aug 28 04:54:49 GMT 1998

>Would someone please help me with the "create mode/mask" settings and/or
>others if needed, or point me to some docs. In the following 2 examples, I
>cannot find the correct settings:

>I use the [netlogon] share, and edit logon scripts there from my Windows
>machine. The group gets set to my user name's group (mi), execute by others
>is not set, and I'm the only one for whom logon scripts are executed.

<I may not know what I'm talking about>
There are very specific permissions that must be setup for the files in the netlogon share so that the client machine knows to execute them.  You really don't want the files to be writable at all from the [netlogon] share.  That entire share should be readonly, I believe.  Note that UNIX permissions, such as execute, have nothing to do with obvious meanings in a Windows environment. 
</I may not know what I'm talking about>

Windows file attributes are mapped to UNIX permissions, but a file can be -x in UNIX and still be 'executable' from windows/dos.

>What are the correct settings for this?
>A different case, probably also very classical, is the web server's share:
>It should be readable and executable by everybody, and writable by the
>@webmasters only.

That is an interesting one.  I'm currently in the process of explaining to my set of webmasters that they can not use HTML editors that don't correct links for relative addresses when they save their work to the FILE SERVER, and want to browse it from the web server.

I'm assuming you are using a system similar to Linux, that is users can be in multiple groups at the same time (the id(2) cmd will verify that) and that directories can be group sticky so that permissions will propagate to their contents.
- Create a UNIX group named webusers or something

- Put all your webmaster people in the webusers group

- Do the following two commands:
  $ find <path to public_html root> -type d -exec chmod 2775 {} \; 
  $ find <path to public_html root> -exec chgrp webusers {} \; \
       -exec chmod 775 {} \;
  The first one will make all directories sticky, user and group writable, and
  publicly accessible.  The second one makes all files and dirs owned by the
  webusers group and user and group writable and publicly readable.

- use these parameters for your web accessible share:
     read only = yes
     write ok = @webusers
     force group = webusers
     create mode = 0775
     directory mode = 2775

  Check those parameter names... I have a feeling that it may be 'force
  directory mode'... Unfortunately, I don't have samba installed on my machines
  at home, since they all run UNIX, so I can't easily check right now. But
  that's the jist of it.

>How do I control the owner and group of a changed/created file, so it is
>not the individual user?

Use the 'force group', and 'create mode' parameters. I find it helpful to not force user permissions, because then you can tell who it was that last changed a file.  Forcing a group, as above, is all I've ever needed.
I've never used the mask option, because on the shares where I've had to enforce group permissions, it wasn't important that a file retain it's DOS attributes (system/hidden/readonly(which WinNT doesn't really enforce anyway-I don't consider boxes like 'X is read-only, are you sure?' to be enforcing attributes)). I do know there is a description of an application of mode and mask parameters in the docs directory included with the source.


More information about the samba mailing list