[Samba] inherited acl
Matthias Nagel
mh-nagel at web.de
Tue Sep 16 20:44:39 GMT 2008
Am Dienstag, 16. September 2008 schrieb vishesh:
> Thanks Nagel
>
> That means
> "inherit permission" and "inherit acl" parameter should be used only
> when default acl not present on parent directory.
>
No, if you want to be sure that permissions are inhereted properly, you need both, default permissions and "inherit permissions/acl". If "inherit permissions/acl" is missing, the default acl are inherited but may be they are modified. The man page reads:
inherit acls (S)
This parameter can be used to ensure that if default acls exist on parent directories, they are always honored when creating a new file or subdirectory in these
parent directories. The default behavior is to use the unix mode specified when creating the directory. Enabling this option sets the unix mode to 0777, thus
guaranteeing that default directory acls are propagated.
The important point is, that the unix mode is set to 0777, if "inherit acl = yes" is set. Otherwise the unix mode, that is active for the user context Samba is running in, will be taken. I will give an example to make things clear.
Imagine you have a directory with the following acls:
default:mask::rwx
default:user::rwx
default:user:my_account:r-x
and the effective user mode is not 0777 but 0666 and "inherit acl" is set to "no". In this case the new file gets the following acls
default:mask::rw-
default:user::rw-
default:user:my_account:r--
Please recognize the missing executive bit. The acl of the new object is the logical AND operation of the default acl and the effective unix mode. The acl are inherited anyway, no matter what "inherit acl" says. But the result might be different from what you expect.
Matthias Nagel
More information about the samba
mailing list