[Samba] samba 3.2.5 + ACLs - read/write permission become read only

TAKAHASHI Motonobu monyo at monyo.com
Mon May 23 10:03:05 MDT 2011


From: Axel Werner <mail at awerner.homeip.net>
Date: Mon, 23 May 2011 12:49:17 +0200

(snip)
> I got a samba shared Directory like this:
> 
> host:/someparentdirs/_AW_TEST# ls -lad .
> d---rws---+ 3 root root 4096 2011-05-23 10:33 .
> host:/someparentdirs/_AW_TEST#
> 
> host:/someparentdirs/_AW_TEST# getfacl .
> # file: .
> # owner: root
> # group: root
> user::---
> group::---
> group:ALL:rwx
> group:CCIGUESTS:rwx
> mask::rwx
> other::---
> default:user::---
> default:group::---
> default:group:ALL:rwx
> default:mask::rwx
> default:other::---
> 
> As u can see the Groups ALL are granted RWX. ANYTHING ELSE is been set 
> to owner root.root with 000 Permissions.

(snip)

> NOW a given Regular Windows-User "wernera" which is MEMBER OF "ALL" is 
> supposed to have READ-/WRITE PERSMISSIONS on those Files, right?? At 
> least i would expect that.
> 
> But Fact is, that in this configuration my user "wernera" can only 
> access these Files "READ ONLY", independent of what Windows Application 
> used. He will be able to creat new files and all. But those existing 
> Files became READONLY for some reason.

As far as I examined at Samba 3.5.6 self-compiled on Lenny and ACLs
were set:

# file: aclshare3/
# owner: root
# group: root
user::---
group::rwx <---- owner group permission
group:aclshare3rw:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:aclshare3rw:rwx
default:mask::rwx
default:other::---

[aclshare3]
  path = /some/where/aclshare3
  writeable = yes

  force group = root
  inherit permissions = yes
; inherit owner = yes

  store dos attributes = yes
  map archive = no
  map read only = no


Actually the owner group permission works as "mask" value. When I set:

# setfacl -m m:rwx,g::--- aclshare3/

then no user can access to aclshare3 directory and  when I set:

# setfacl -m m:rwx,g::r-x aclshare3/

then no user can write to aclshare3 directory.


Anyway, I recommend that root always have rwx on files when you use
POSIX ACL to control access like:

1) chown root; chgrp root
2) chmod g+rwx; setfacl -m g::rwx; setfacl -d -m g::rwx
3) set "force group = root"

---
TAKAHASHI Motonobu <monyo at samba.gr.jp>


More information about the samba mailing list