[Samba] create mask = 0777

Scott Millhisler sjmlistread at sjm.net
Tue Mar 11 20:10:06 GMT 2003 

David:

The following is written for those who have little or no knowledge of Linux's file and directory permission settings and need to understand some of the mask related parameters in Samba's smb.conf file.  It may or may not be suited for your knowledge level.  I hope at least helps a little.


---------------------------------------------------
==== File and Directory Permission Mask Values ====
---------------------------------------------------

Q> What does "create mask = 777" in smb.conf indicate?

A> I will explain what the numbers indicate first, they serve the same function in all of the file related mask and mode parameters. The numbers are "bit masks" for the file or directory access privileges. 

For now in this text, when I refer to a "file" I mean a file or directory, they are treated the same here.

-=- How Linux File Permissions are Handled -=-
----------------------------------------------
Each file stored in a standard Linux volume has 3 sets of privilege settings, one set for the file's owner, one set for the file's group members and one set for everyone else (other).  For each of these three classes of users there are 3 options, read, write, and execute.  

Looking at a Samba mask parameter value as a 3 digit number, which is all we need to deal with in this discussion, each digit represents one of the 3 class of users.  (Note: a value of 0740 is the same as 740; any leading zeros can be omitted.)  The value of each digit can be between 0 and 7 so we call these octal digits.  

The 3 classes of users represented by these 3 digits are, owner, group, and other.  
- The owner is the Linux user who currently the file.
- The group is the Linux group to which the file belongs.  If a user belongs to the same group as the file, that user inherits those permissions.
- Other is everyone but the owner and group members.

For example, let's look at a mask of 740.  It can be broken down as the following:

- The first digit (7) indicates the file's owner's options.
- The second digit (4) indicates the file's group member's options.
- The third digit (0) indicates the file's options for everyone else.

-=- How the Permission Settings are Arranged -=-
------------------------------------------------
As mentioned earlier there are 3 different permission settings, represented by a single octet.  This is where the 'bit mask' comes in.  If  you are familiar with binary notation then this will be easy to calculate.  The settings are represented by bit positions of a 3 bit cluster.

               2
               |
       4 <--- ||| ---> 1
              111  <------------ Binary Number 111 (3 digits)
    Read <--- ||| ---> Execute
               |
             Write        

In this "cheesy" ASCII diagram the binary number 111 is shown in the middle.  Above it shows the decimal value of each digit, and below is what permission is granted by each of the three digits.  A 1 assigns the permission.

Therefore, in binary notation Read access has a decimal value of 4 (100), Write has a decimal value of 2 (010), and Execute has a value of 1 (001).  

Now to derive a single digit in our permissions mask we convert the binary value to a single digit decimal value.   Therefore, full permission (read, write and execute) has a decimal value of 7.  Some other examples:

Permission     Binary  Decimal
----------     ------  -------
Read/Write      110       6
Read Only       100       4
Read/Execute    101       5


Now that we know that we can use these digits to assign permissions for the file's owner, group, and others as explained above.

For our example above, permissions mode 740 would represent the file's owner having Read/Write/Execute permission,  the group members have Read only permission, and everyone else has no access permissions at all to the file.

-=- Viewing a File's or Directory's Permission Modes -=-
--------------------------------------------------------
These rights are seen when you get a directory listing with the 'ls -l' shell command.  You will see the rights listed in the 1st column, in a letter notation.  For example, a file will appear as:

-rw-r--r--    1 root     staff         8346 Mar 10 17:43 smb.conf

Ignoring the 1st character '-' for a moment, 
  - characters 2-4 represent the file owner's permission, "rw-" (read/write)
  - characters 5-7 represent the file group members permissions, "r--" (read)
  - characters 8-10 represent everyone else's permissions, "r--" (read)

The last of the 3 symbols, which is always '-' in this example, will be 'x' if the execute right is assigned.  

Each of the three characters in a user class grouping corresponds to a bit position as shown earlier.  Instead of it showing a 1 or 0 it uses characters to make it more readable.  'r' for Read, 'w' for Write, 'x' for eXecute, and '-' for not set.
 
That 1st character in the 10 character permissions indicator is used by Unix/Linux to specify additional attributes to the file, such as 'd' if it is a directory or 'l'  if it is a link.  The usage is seldom assigned by the average user and beyond the scope of this text.

-=- Samba smb.conf mask parameter examples -=-
----------------------------------------------
Now with that long explanation out of the way we can apply that knowledge to the create mask and directory mode parameters.

-=- create mask -=-
-------------------
Note: This is a synonym for create mode.
This setting tells samba what permissions to mask against the DOS/Windows assigned permissions for a new file when it is created from a Windows/DOS client.  This means that if a permission isn't indicated in this create mask parameter, then it won't be assigned to the file when created.  This applies to files only, not directories.  There are many factors that may affect this parameter so for detailed information see the man or info pages for smb.conf.

-=- directory mask -=-
----------------------
Note: This is a synonym for directory mode.
This really the same concept as create mask but it applies to directories not files.  Just remember that if you want any of the 3 groups (owner, group, other) to be able to at least access a directory, set the read AND execute permissions. There are many factors that may affect this parameter so for detailed information see the man or info pages for smb.conf.

That should be enough information to get the newcomer on their way to using directory and file masks.  For more information see the man or info pages for, ls, chmod, and smb.conf.

For errors or blatant omissions email scott at sjm.net

Scott Millhisler
SJM Computer Consulting - Perry, Michigan


---------- Original Message ----------------------------------
From: "David Jackson" <DJackson at floridaforms.com>
Reply-To: DJackson at floridaforms.com
Date:  Mon, 10 Mar 2003 21:06:20 -0500

>What do the following lines mean in the smb.conf file:
>create mask = 0777
>directory mode = 0775
>I would like to know where i can learn more about what those numbers about
>signify.
>Also where can i find archives for this list so I don't keep bringing up old
>topics?
>
>Thanks
> ........

More information about the samba mailing list