[Samba] Enforcing filesystem permissions

Dale Schroeder dale at BriannasSaladDressing.com
Mon Oct 4 12:54:51 MDT 2010 

  Dennis,

Maybe this instead:


      inherit permissions (S)

    The permissions on new files and directories are normally governed
    by create mask
    <http://debpdc:901/swat/help/manpages/smb.conf.5.html#CREATEMASK>,
    directory mask
    <http://debpdc:901/swat/help/manpages/smb.conf.5.html#DIRECTORYMASK>, force
    create mode
    <http://debpdc:901/swat/help/manpages/smb.conf.5.html#FORCECREATEMODE>
    and force directory mode
    <http://debpdc:901/swat/help/manpages/smb.conf.5.html#FORCEDIRECTORYMODE>
    but the boolean inherit permissions parameter overrides this.

    New directories inherit the mode of the parent directory, including
    bits such as setgid.

    New files inherit their read/write bits from the parent directory.
    Their execute bits continue to be determined by map archive
    <http://debpdc:901/swat/help/manpages/smb.conf.5.html#MAPARCHIVE>,
    map hidden
    <http://debpdc:901/swat/help/manpages/smb.conf.5.html#MAPHIDDEN> and
    map system
    <http://debpdc:901/swat/help/manpages/smb.conf.5.html#MAPSYSTEM> as
    usual.

    Note that the setuid bit is /never/ set via inheritance (the code
    explicitly prohibits this).

    This can be particularly useful on large systems with many users,
    perhaps several thousand, to allow a single [homes] share to be used
    flexibly by each user.

    Default: //|inherit permissions|/ = |no| /


Dale


On 10/04/2010 11:00 AM, Dennis Jacobfeuerborn wrote:
> Hi,
> I'm trying to get samba to force a certain set of permissions for 
> files and directories but so far I don't have much success. This is 
> what I'm trying to enforce:
>
>         create mask = 0770
>         security mask = 0770
>         directory mask = 0770
>         directory security mask = 0770
>         force create mode = 0660
>         force security mode = 0660
>         force directory mode = 0770
>         force directory security mode = 0770
>         force group = publisher
>
> Yet when a client creates a directory it ends up with the permissions 
> set to 755 instead. My guess is that the client changes the 
> permissions after the directory is created so I'm wondering how I can 
> prevent that from happening.
> What I'm trying to accomplish is to make it possible for members of 
> the group "publisher" to always read/write each others files and enter 
> directories.
>
> Regards,
>   Dennis

More information about the samba mailing list