[Samba] samba 3.2.5 + ACLs - read/write permission become read only
TAKAHASHI Motonobu
monyo at monyo.com
Mon May 23 10:03:05 MDT 2011
From: Axel Werner <mail at awerner.homeip.net>
Date: Mon, 23 May 2011 12:49:17 +0200
(snip)
> I got a samba shared Directory like this:
>
> host:/someparentdirs/_AW_TEST# ls -lad .
> d---rws---+ 3 root root 4096 2011-05-23 10:33 .
> host:/someparentdirs/_AW_TEST#
>
> host:/someparentdirs/_AW_TEST# getfacl .
> # file: .
> # owner: root
> # group: root
> user::---
> group::---
> group:ALL:rwx
> group:CCIGUESTS:rwx
> mask::rwx
> other::---
> default:user::---
> default:group::---
> default:group:ALL:rwx
> default:mask::rwx
> default:other::---
>
> As u can see the Groups ALL are granted RWX. ANYTHING ELSE is been set
> to owner root.root with 000 Permissions.
(snip)
> NOW a given Regular Windows-User "wernera" which is MEMBER OF "ALL" is
> supposed to have READ-/WRITE PERSMISSIONS on those Files, right?? At
> least i would expect that.
>
> But Fact is, that in this configuration my user "wernera" can only
> access these Files "READ ONLY", independent of what Windows Application
> used. He will be able to creat new files and all. But those existing
> Files became READONLY for some reason.
As far as I examined at Samba 3.5.6 self-compiled on Lenny and ACLs
were set:
# file: aclshare3/
# owner: root
# group: root
user::---
group::rwx <---- owner group permission
group:aclshare3rw:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:aclshare3rw:rwx
default:mask::rwx
default:other::---
[aclshare3]
path = /some/where/aclshare3
writeable = yes
force group = root
inherit permissions = yes
; inherit owner = yes
store dos attributes = yes
map archive = no
map read only = no
Actually the owner group permission works as "mask" value. When I set:
# setfacl -m m:rwx,g::--- aclshare3/
then no user can access to aclshare3 directory and when I set:
# setfacl -m m:rwx,g::r-x aclshare3/
then no user can write to aclshare3 directory.
Anyway, I recommend that root always have rwx on files when you use
POSIX ACL to control access like:
1) chown root; chgrp root
2) chmod g+rwx; setfacl -m g::rwx; setfacl -d -m g::rwx
3) set "force group = root"
---
TAKAHASHI Motonobu <monyo at samba.gr.jp>
More information about the samba
mailing list