[Samba] inherited acl

Matthias Nagel mh-nagel at web.de
Tue Sep 16 20:44:39 GMT 2008

Am Dienstag, 16. September 2008 schrieb vishesh:
> Thanks Nagel
>  That means
> "inherit permission" and "inherit acl" parameter should be used  only 
> when default acl  not present on parent directory.

No, if you want to be sure that permissions are inhereted properly, you need both, default permissions and "inherit permissions/acl". If "inherit permissions/acl" is missing, the default acl are inherited but may be they are modified. The man page reads:

inherit acls (S)

           This parameter can be used to ensure that if default acls exist on parent directories, they are always honored when creating a new file or subdirectory in these
           parent directories. The default behavior is to use the unix mode specified when creating the directory. Enabling this option sets the unix mode to 0777, thus
           guaranteeing that default directory acls are propagated.

The important point is, that the unix mode is set to 0777, if "inherit acl = yes" is set. Otherwise the unix mode, that is active for the user context Samba is running in, will be taken. I will give an example to make things clear.

Imagine you have a directory with the following acls:


and the effective user mode is not 0777 but 0666 and "inherit acl" is set to "no". In this case the new file gets the following acls


Please recognize the missing executive bit. The acl of the new object is the logical AND operation of the default acl and the effective unix mode. The acl are inherited anyway, no matter what "inherit acl" says. But the result might be different from what you expect.

Matthias Nagel

More information about the samba mailing list