[Samba] Enforcing filesystem permissions

Dale Schroeder dale at BriannasSaladDressing.com
Mon Oct 4 12:54:51 MDT 2010


Maybe this instead:

      inherit permissions (S)

    The permissions on new files and directories are normally governed
    by create mask
    directory mask
    <http://debpdc:901/swat/help/manpages/smb.conf.5.html#DIRECTORYMASK>, force
    create mode
    and force directory mode
    but the boolean inherit permissions parameter overrides this.

    New directories inherit the mode of the parent directory, including
    bits such as setgid.

    New files inherit their read/write bits from the parent directory.
    Their execute bits continue to be determined by map archive
    map hidden
    <http://debpdc:901/swat/help/manpages/smb.conf.5.html#MAPHIDDEN> and
    map system
    <http://debpdc:901/swat/help/manpages/smb.conf.5.html#MAPSYSTEM> as

    Note that the setuid bit is /never/ set via inheritance (the code
    explicitly prohibits this).

    This can be particularly useful on large systems with many users,
    perhaps several thousand, to allow a single [homes] share to be used
    flexibly by each user.

    Default: //|inherit permissions|/ = |no| /


On 10/04/2010 11:00 AM, Dennis Jacobfeuerborn wrote:
> Hi,
> I'm trying to get samba to force a certain set of permissions for 
> files and directories but so far I don't have much success. This is 
> what I'm trying to enforce:
>         create mask = 0770
>         security mask = 0770
>         directory mask = 0770
>         directory security mask = 0770
>         force create mode = 0660
>         force security mode = 0660
>         force directory mode = 0770
>         force directory security mode = 0770
>         force group = publisher
> Yet when a client creates a directory it ends up with the permissions 
> set to 755 instead. My guess is that the client changes the 
> permissions after the directory is created so I'm wondering how I can 
> prevent that from happening.
> What I'm trying to accomplish is to make it possible for members of 
> the group "publisher" to always read/write each others files and enter 
> directories.
> Regards,
>   Dennis

More information about the samba mailing list