[Samba] Re: file permissions with inherit permission + ACL's

Jay Flory jflory at aeiconsultants.com
Wed Apr 18 19:33:03 GMT 2007 

"Ralf Gross" <Ralf-Lists at ralfgross.de> wrote in message 
news:20070418154511.GA26699 at p15145560.pureserver.info...
> Hi,
>
> I have a share (testshare) where different unix groups (testgroup1,
> testgroup2) should have access to. But I want that new files are only
> created with 660 permissions.
>
> Here are the ACL's of testshare:
>
> # file: testshare
> # owner: ralfgro
> # group: ve
> user::rwx
> group::rwx
> group:testgroup1:rwx
> group:testgroup2:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:group::---
> default:group:testgroup1:rwx
> default:group:testgroup2:rwx
> default:mask::rwx
> default:other::---
>
> I created a new directory and a new file in this share.
>
> drwxrws---+ 2 ralfgro ve    6 2007-04-18 17:28 testdir
> -rwxrwx---+ 1 ralfgro ve    0 2007-04-18 17:28 testfile.txt
>
>
> # file: testdir
> # owner: ralfgro
> # group: ve
> user::rwx
> group::---
> group:testgroup1:rwx
> group:testgroup2:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:group::---
> default:group:testgroup1:rwx
> default:group:testgroup2:rwx
> default:mask::rwx
> default:other::---
>
> The permissions of this new directory are fine. But new files should be
> created with 660 permissions, not 770.
>
> # file: testfile.txt
> # owner: ralfgro
> # group: ve
> user::rwx
> group::---
> group:testgroup1:rwx
> group:testgroup2:rwx
> mask::rwx
> other::---
>
>
>
> This is the relevant part of smb.conf:
>
> [testshare]
>        force create mode = 0660
>        create mask = 0660
>        force directory mode = 2770
>        directory security mask = 2770
>        force directory security mode = 0000
>        directory mask = 2770
>        force security mode = 0000
>        security mask = 0770
>        inherit acls = yes
>        inherit permissions = yes
>        map archive = no
>        map system = no
> ...
>
> Some of the options might be needless now, but I needed them as I
> used 'force group = ...' instead of 'inherit permissions'.
>
>
> I already played with the default mask ACL, but then I always ended with 
> no
> executable bit on files _and_ directories which denies access to the new
> created directories...
>
> Any ideas?
>
> Ralf
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

Ralf,

What would happen if you removed the default entries from your directory 
ACLs?  It looks to me like the default ACLs are being applied from the 
directory to the newly created file.  I believe that POSIX ACLs do this by 
design.

Thanks
Jay

More information about the samba mailing list