[Samba] Samba permissions

Fri Jul 29 16:57:32 GMT 2005

Scott Mayo wrote:
> Scott Mayo wrote:
> 
>> Keith Warno wrote:
>>
>>> * <sgmayo at mail.bloomfield.k12.mo.us> [29/07/2005 1119EDT]:
>>>
>>>> I am working on my permissions and something does not quite make 
>>>> sense to me.  Here is what I have set.
>>>>
>>>> /DIR          (Unix permissions are 3777)
>>>>
>>>> Then in samba I have the following
>>>>
>>>> [dir]
>>>> path = /DIR
>>>> read only = no
>>>> valid users @teach @student
>>>> create mask 3660
>>>> directory mask 3770
>>>>
>>>> Then from a windows workstation, I create a new directory inside 
>>>> 'dir', and call it 'teach'.
>>>>
>>>> The permissions of 'teach' are 2770.  It looks like it should be 
>>>> 3770 to me since the 'directory mask' commands does a bitwise 
>>>> 'AND'.  Anyone know why this is?  Maybe it is because of the DOS 
>>>> attributes or something.
>>>
>>>
>>>
>>>
>>> You're right about the bitwise AND.
>>>
>>> But default mode for a new directory is 0777.  Observe:
>>>
>>> kw at pigpen[2]:~$ cd tmp
>>> kw at pigpen[2]:~/tmp$ umask 0
>>> kw at pigpen[2]:~/tmp$ umask
>>> 0000
>>> kw at pigpen[2]:~/tmp$ file foodir
>>> foodir: cannot open (foodir)
>>> kw at pigpen[2]:~/tmp$ mkdir foodir
>>> kw at pigpen[2]:~/tmp$ ls -ld foodir
>>> drwxrwxrwx  2 kw users 4096 Jul 29 11:59 foodir
>>>
>>> However, your new directory *inherited* the setgid bit (effectively a
>>> bitwise OR); this is simply the behavior of setgid bits on directories.
>>> From the man page for the stat() system call (section 2):
>>>
>>>        The set GID bit (S_ISGID) has several special uses: For a
>>>        directory  it indicates  that  BSD  semantics is to be used for
>>>        that directory: files created there inherit their group ID from
>>>        the directory, not  from  the effective  gid  of  the creating
>>>        process, and directories created there will also get the S_ISGID
>>>        bit set.  For a file that does not  have  the group  execution
>>>        bit (S_IXGRP) set, it indicates mandatory file/record locking.
>>>
>>> So, for your case:
>>>
>>>     (3770 & 0777) | 2000 = 2770
>>>
>>> It is doing exactly what it should be doing. :)
>>>
>>> Keith
>>
>>
>>
>> Ok, I guess that makes sense after you explained it.  I got it to work 
>> by using both the 'directory mask' and the 'force directory mode'.  
>> That works but I have no idea why.  I also just tried to use the 
>> 'force directory mode' which is a bitwise 'OR' to see what I would get 
>> and here are the permissions that I end up with in both cases.  I 
>> cannot figure out where they are coming from.
>>
>> With both 'directory mask = 3770' and 'force directory mode = 3770' I 
>> get:
>>
>> drwxrws--T DIR   (which would be 3770)
>>
>> If I just use 'force directory mode = 3770', then I get the following 
>> permissions:
>>
>> drwxrwsr-t DIR   (which would be 3775)
>>
>> Thanks for any help.  I am glad that it works in with using both 
>> directives, but I just want to understand why.  I have been doing a  
>> lot of reading, and just when I think that I understand how it should 
>> work...it throws me a curve. :)
>>
> 
> Actually the first one does make sense I guess, but not the 2nd.  Here 
> is how I understand it.
> 
> [(3777 & 0770) | 3770] | 2000 = 3770
> 
> I have no ide where the rx permissions come from in the last example 
> though.
> 

Well, I had to reply to my post twice. :)  Thanks for the help.  I think 
I see it now.  'directory mask' defaults to 755.  That is where the rx 
came in on my last example.  Thanks for the great explanation.

-- 
Scott Mayo
Technology Coordinator
Bloomfield Schools
PH: 573-568-5669
FA: 573-568-4565
Pager: 800-264-2535 X2549

Duct tape is like the force, it has a light side and a dark side and it
holds the universe together.