[Samba] Re: Re: file permissions with inherit permission + ACL's

Ralf Gross Ralf-Lists at ralfgross.de
Fri Apr 20 14:36:31 GMT 2007 

Jay Flory schrieb:
> 
> "Ralf Gross" <Ralf-Lists at ralfgross.de> wrote in message 
> news:20070419075232.GC26699 at p15145560.pureserver.info...
> > Jay Flory schrieb:
> >> > I have a share (testshare) where different unix groups (testgroup1,
> >> > testgroup2) should have access to. But I want that new files are only
> >> > created with 660 permissions.
> >> >
> >> > Here are the ACL's of testshare:
> >> >
> >> > # file: testshare
> >> > # owner: ralfgro
> >> > # group: ve
> >> > user::rwx
> >> > group::rwx
> >> > group:testgroup1:rwx
> >> > group:testgroup2:rwx
> >> > mask::rwx
> >> > other::---
> >> > default:user::rwx
> >> > default:group::---
> >> > default:group:testgroup1:rwx
> >> > default:group:testgroup2:rwx
> >> > default:mask::rwx
> >> > default:other::---
> >> > [snip]
> >> > I already played with the default mask ACL, but then I always ended 
> >> > with
> >> > no
> >> > executable bit on files _and_ directories which denies access to the 
> >> > new
> >> > created directories...
> >>
> >> What would happen if you removed the default entries from your directory
> >> ACLs?  It looks to me like the default ACLs are being applied from the
> >> directory to the newly created file.  I believe that POSIX ACLs do this 
> >> by
> >> design.
> >
> > But I need the default directory ACLs to give the 2 groups rights on
> > all new created files and directories in this share, or am I wrong
> > about this? The only thing I don't want is the executable bit on
> > files.
> >
> I believe that Samba, with the "inherit acls = yes" setting, is designed to 
> set the permissions on the new subdirectories.  The Definitive Guide to 
> Samba 3 puts it this way "When set to Yes, Samba copies a directory's ACLs 
> when creating subdirectories within it.  The default value of No sets 
> directory permissions according to the directory mask, force directory mode, 
> and inherit permissions options instead".
> 
> If I am correct then the default ACL entries on your directory is redundant 
> for new sub directories and interfering when Samba tries to set permissions 
> on the new files (inherit permissions).

I tried different settings, and it's basicially working with either
'inherit permissions' or 'inherit acls' + correct ACLs. But new files
are still created with the x-bit. I'm beginning to think, that there
is no way to prevent smb from setting this bit if the groups should
get access to new created directories.

My goal was:

- different groups with (maybe different) rights on all
  new files/directories
- file should have only 660 permissions (no x-bit)

Ralf

More information about the samba mailing list