Inherit Permissions addition

David Lee T.D.Lee at durham.ac.uk
Tue May 23 10:13:31 GMT 2000 

Re:

> Date:   Mon, 22 May 2000 00:01:14 -0500
> From:   "Kyle Herbert" <kyleh at firstnetimpressions.com>
> To:     <T.D.Lee at durham.ac.uk>, <samba at samba.org>
> Subject: Inherit Permissions addition
> 
> I was delighted to read about and test the "inherit permissions" feature of
> version 2.0.7 for myself.  This is a wonderful addition to Samba; thank you,
> David Lee, for your fine work.
> 
> After initial testing, it became apparent to me that inheriting the 'group'
> permissions on a subfolder within a share without also 'forcing' the group
> ownership on the new files and directories in that subfolder would quickly
> undermine the purpose of the feature and lead to a potential breach in
> security.
> 
> The documentation for 'inherit permissions' indicates that the systems
> administrator can resolve this issue by using the set-gid bit on the share
> directory ("New directories inherit the mode of the parent directory,
> including bits such as setgid.").
> 
> Rather than have this functionality of Samba depend upon correct
> administration at the file system level, I thought it better to have Samba
> force group id inheritance when the 'inherit permissions' attribute is set.
> After all, I could not imagine a situation wherein the group permissions
> should be maintained without the group id; and, this saves one step in the
> overall administration.

I see your point.

Bear in mind throughout that a principal aim of this mode is for home
directories at large installations (many thousands of users) using a
single [homes] share, where most users need have no real knowledge of
UNIX.  Thus the UNIX/Samba administrator needs to be able to set up
[homes] to get things 98% intuitive for 98% of them 98% of the time. 
There will always be the remaining 2% who need greater flexibility:
let them learn UNIX!

The issue can be argued either way.  So let me put "the other side". 

In setting the read/write bits, "inherit permissions" adds new, useful
functionality which is not already there.  By contrast the principles of
"setgid" on directories are already implemented within most UNIX systems. 
So if "inherit permissions" were to force "setgid" behaviour, regardless
of the "setgid" bit itself, this actually removes flexibility (it will
have disabled an infrequently used, but useful, switch). 

One could well envisage the following home directory structure (thousands
of users, remember, in [homes]):

  .              :  711  (private as possible, just enough through-access)
  ./public_html  :  755  (public)
  ./normalgroup  :  750  (group-access to my usual group)
  ./specialgroup : 2750  (owned by non-default group; setgid bit set).

All new files and subdirectories (recursively), except those in the three
special cases, get 600 (files) or 711 (directories) and the normal group.

All new files/subdirectories in "public_html" get 644/755 and the normal
group.

All new files/subdirectories in "normalgroup" get 640/750 and the normal
group.

All new files/subdirectories in "specialgroup" get 640/2750 : the
group-owner is set via the setgid bit, using the owner of the directory.

This gives reasonably full functionality.  By contrast, if "inherit
permissions" were to force setgid, then we would have lost an aspect of
flexibility.

So my own view, on balance, is to keep the existing functionality.

Perhaps the patch should be a documentation patch describing the various
possibilities opened up by this parameter.  Indeed, perhaps this should be
part of a larger document which describes "force create mode" etc.

> By the way, this is my first contribution to an open source software
> project.  Thank you for the opportunity to help advance such a valuable
> project.  Any comments or feedback would be very welcome.

Thanks.  I hope my apparently negative reaction (I hope it wasn't too
negative) hasn't put you off, but rather encouraged you.

My guess is that any further discussion should take place on the 
"samba-technical" list (rather than here on "samba").

-- 

:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  http://www.dur.ac.uk/~dcl0tdl            South Road            :
:                                           Durham                :
:  Phone: +44 191 374 2882                  U.K.                  :

More information about the samba mailing list