File & Directory permissions

Mac dmccann at
Tue Nov 10 18:05:28 GMT 1998

Hi all (and Peter),

Answering your question A,

No.  Details below.  (I don't have access to NT as a client, but I do
know a good deal about Samba permissions).

>Samba presents a DOS file permissions view to users.  That is they can set the 
>following attributes for files: Archive, Hidden and Readonly.  As an ordinary 
>user on NT 4.0 System attribute is not accessible.

'System' attribute is also provided by Samba.  Definately settable on

>These attributes map as follows onto the following default Unix permissions - 
>note owner and group will depend on how connected to Samba and any "force 
>user" and "force group" directives.  Also as far as I can tell the Hidden 
>attribute has no effect on Unix permissions and is never reported back even if 
>set.  Finally the permissions for directories (or folders) seems to be 

Hidden attribute is only reported (and set) if the smb.conf parameter
'map hidden' is turned on.  'map system' is also required if you wish to
mimic Systenm attribute behaviour.

>Attributes	Type	Unix permissions
>none		file	-rw-rw-rw-
>Archive	file	-rwxrw-rw-
>ReadOnly	file	-r--r--r--
>Archive+ReadOnly file	-r-xr--r--

System and Hidden flip the Group and Other 'Execute' bits (and report on
them too).

Also with 'hide dot files', any .dot file (e.g. .cshrc) is
flagged as hidden too (irrespective of the 'map hidden' setting I
believe).  This mapping is not two way (e.g. a user setting the 'hidden'
attribute on a file will _not_ cause it to have a '.' prepended to the
file name.)

So, Archive, System and Hidden all work in the same way, mapping onto an
Execute bit in UNIX.  (Archive is on by default, System and Hidden are

>any	     directory	drwxrwsrwx

Nope.  Set Group-On-Execute is NOT set for directories by default.
You'd have to use a 'force' to get it set.

>These permissions are the logically ANDed with "create mask" for files and 
>"directory mask" for directories.

Indeed, although 'create mask' is iteslf ORed with 0600 (or so) to
ensure that you don't remove UNIX read permission from the file (This
seems overkill to me)

Also 'directory mask' is ORed with 0700 (or so) to ensure read and
execute (for user) cannot be removed (very sensible of course).

(This ORing is done in a macro somewhere IIRC)

>Finally thet are logically ORed with "force create mask" for files and "force 
>directory create mask" for directories.


>The only control as user at a NT Workstation has is to make files read only.

Can't comment.  (Definately NOT true for WfWg3.11 File Manager)

>A: Is the above correct?

(see above)

>B: Is there any other mechanism for a user to change the permissions of their 

The one suggestion I have seen is 'magic script', which allows you to
have a file executed by Samba upon close.  Stick the relevant 'chmod'
commands in there (not forgetting to use UNIX End-Of-Line semantics) and
away you go!

>The rationale is that the SAMBA directives do not cover all I would wish - eg 
>Users here have Web pages that must be globally readable, but most other files 
>should not be so.

Hmm.  Tricky within a single share.  I guess you can't provide a
separate share for each user's web pages?

          Assistant Systems Adminstrator
                        dmccann at
   Work: +44 1707 654753 x285      Everything else: +44 956 237670 (anytime)

More information about the samba mailing list