[Samba] Enforcing filesystem permissions
Dennis Jacobfeuerborn
dennisml at conversis.de
Mon Oct 4 13:35:21 MDT 2010
That's a possible way but this would be more of a workaround rather than a
solution. I'd still like to know why the permissions end up all wrong.
Also this only deals with the permissions during the creation of the
directory. If the reason for the messed up permissions is indeed that the
client changes them afterwards then this will probably still happen even
with this option set.
Regards,
Dennis
On 10/04/2010 08:54 PM, Dale Schroeder wrote:
> Dennis,
>
> Maybe this instead:
>
>
> inherit permissions (S)
>
> The permissions on new files and directories are normally governed by
> create mask
> <http://debpdc:901/swat/help/manpages/smb.conf.5.html#CREATEMASK>,
> directory mask
> <http://debpdc:901/swat/help/manpages/smb.conf.5.html#DIRECTORYMASK>,
> force create mode
> <http://debpdc:901/swat/help/manpages/smb.conf.5.html#FORCECREATEMODE>
> and force directory mode
> <http://debpdc:901/swat/help/manpages/smb.conf.5.html#FORCEDIRECTORYMODE>
> but the boolean inherit permissions parameter overrides this.
>
> New directories inherit the mode of the parent directory, including
> bits such as setgid.
>
> New files inherit their read/write bits from the parent directory.
> Their execute bits continue to be determined by map archive
> <http://debpdc:901/swat/help/manpages/smb.conf.5.html#MAPARCHIVE>, map
> hidden <http://debpdc:901/swat/help/manpages/smb.conf.5.html#MAPHIDDEN>
> and map system
> <http://debpdc:901/swat/help/manpages/smb.conf.5.html#MAPSYSTEM> as usual.
>
> Note that the setuid bit is /never/ set via inheritance (the code
> explicitly prohibits this).
>
> This can be particularly useful on large systems with many users,
> perhaps several thousand, to allow a single [homes] share to be used
> flexibly by each user.
>
> Default: //|inherit permissions|/ = |no| /
>
>
> Dale
>
>
> On 10/04/2010 11:00 AM, Dennis Jacobfeuerborn wrote:
>> Hi,
>> I'm trying to get samba to force a certain set of permissions for files
>> and directories but so far I don't have much success. This is what I'm
>> trying to enforce:
>>
>> create mask = 0770
>> security mask = 0770
>> directory mask = 0770
>> directory security mask = 0770
>> force create mode = 0660
>> force security mode = 0660
>> force directory mode = 0770
>> force directory security mode = 0770
>> force group = publisher
>>
>> Yet when a client creates a directory it ends up with the permissions set
>> to 755 instead. My guess is that the client changes the permissions after
>> the directory is created so I'm wondering how I can prevent that from
>> happening.
>> What I'm trying to accomplish is to make it possible for members of the
>> group "publisher" to always read/write each others files and enter
>> directories.
>>
>> Regards,
>> Dennis
More information about the samba
mailing list