[Samba] Samba permissions

Scott Mayo sgmayo at mail.bloomfield.k12.mo.us
Fri Jul 29 16:37:52 GMT 2005


Keith Warno wrote:
> * <sgmayo at mail.bloomfield.k12.mo.us> [29/07/2005 1119EDT]:
> 
>>I am working on my permissions and something does not quite make sense 
>>to me.  Here is what I have set.
>>
>>/DIR          (Unix permissions are 3777)
>>
>>Then in samba I have the following
>>
>>[dir]
>>path = /DIR
>>read only = no
>>valid users @teach @student
>>create mask 3660
>>directory mask 3770
>>
>>Then from a windows workstation, I create a new directory inside 'dir', 
>>and call it 'teach'.
>>
>>The permissions of 'teach' are 2770.  It looks like it should be 3770 to 
>>me since the 'directory mask' commands does a bitwise 'AND'.  Anyone 
>>know why this is?  Maybe it is because of the DOS attributes or something.
> 
> 
> You're right about the bitwise AND.
> 
> But default mode for a new directory is 0777.  Observe:
> 
> kw at pigpen[2]:~$ cd tmp
> kw at pigpen[2]:~/tmp$ umask 0
> kw at pigpen[2]:~/tmp$ umask
> 0000
> kw at pigpen[2]:~/tmp$ file foodir
> foodir: cannot open (foodir)
> kw at pigpen[2]:~/tmp$ mkdir foodir
> kw at pigpen[2]:~/tmp$ ls -ld foodir
> drwxrwxrwx  2 kw users 4096 Jul 29 11:59 foodir
> 
> However, your new directory *inherited* the setgid bit (effectively a
> bitwise OR); this is simply the behavior of setgid bits on directories.
> From the man page for the stat() system call (section 2):
> 
>        The set GID bit (S_ISGID) has several special uses: For a
>        directory  it indicates  that  BSD  semantics is to be used for
>        that directory: files created there inherit their group ID from
>        the directory, not  from  the effective  gid  of  the creating
>        process, and directories created there will also get the S_ISGID
>        bit set.  For a file that does not  have  the group  execution
>        bit (S_IXGRP) set, it indicates mandatory file/record locking.
> 
> So, for your case:
> 
> 	(3770 & 0777) | 2000 = 2770
> 
> It is doing exactly what it should be doing. :)
> 
> Keith

Ok, I guess that makes sense after you explained it.  I got it to work 
by using both the 'directory mask' and the 'force directory mode'.  That 
works but I have no idea why.  I also just tried to use the 'force 
directory mode' which is a bitwise 'OR' to see what I would get and here 
are the permissions that I end up with in both cases.  I cannot figure 
out where they are coming from.

With both 'directory mask = 3770' and 'force directory mode = 3770' I get:

drwxrws--T DIR   (which would be 3770)

If I just use 'force directory mode = 3770', then I get the following 
permissions:

drwxrwsr-t DIR   (which would be 3775)

Thanks for any help.  I am glad that it works in with using both 
directives, but I just want to understand why.  I have been doing a  lot 
of reading, and just when I think that I understand how it should 
work...it throws me a curve. :)

-- 
Scott Mayo
Technology Coordinator
Bloomfield Schools
PH: 573-568-5669
FA: 573-568-4565
Pager: 800-264-2535 X2549

Duct tape is like the force, it has a light side and a dark side and it
holds the universe together.


More information about the samba mailing list