[Samba] security mask for extended ACL permissions / change of create mode for Samba
Németh Ákos Ferenc
nemethakos at f-labor.mkt.bme.hu
Sun May 6 15:59:08 MDT 2012
Dear All,
I manage a Debian Squeeze GNU/Linux (with kernel 2.6.32-5-686 #1 SMP)
with Samba 3.5.6 (samba 2:3.5.6~dfsg-3squeeze8 package is installed).
I have a "test" directory with native Linux ACL permissions. getfacl
test's output:
# file: test
# owner: akos
# group: grp
# flags: -s-
user::rwx
group::rwx
group:read:r-x
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:read:r-x
default:mask::rwx
default:other::---
If I create a new file (called linfile) under this directory, its
permissions are the following: (as I expected)
# file: linfile
# owner: akos
# group: grp
user::rw-
group::rwx #effective:rw-
group:read:r-x #effective:r--
mask::rw-
other::---
If I create a new file (called winfile) under this directory via Samba
(from another Linux machine or from another Windows machine), its
permissions are the following: (as I didn't expect)
# file: winfile
# owner: akos
# group: grp
user::rw-
group::rw-
group:read:r-x
mask::rwx
other::---
My problem is regarding to the read group's (extended ACL) permissions
or better saying regarding to the mask of extended ACL permissions. With
other worlds the extended execute bit of the file disturb me.
The legacy owner group's permissions are correct because of the security
mask of smb.conf, but I couldn't find a security mask which is valid for
the extended permissions. As I read about it on the net, the base of the
problem is that Linux's touch command and the samba file creation rutine
use different mode(?)/umask(?) to create a new file. How can I change them?
I read the archive and the whole Google but I couldn't find a way how to
solve this problem however sombody elses also wrote about this issue.
:-) Please help me and please forgive me if I only missconfigured my
system. :-)
The relevant part of the smb.conf:
[file-server]
comment = File Server
path = ***somewhere in the world - because of security reason***
browsable = yes
read only = no
guest ok = no
# create mask = 0660
# directory mask = 0770
security mask = 0666
directory security mask = 7777
inherit permissions = yes
map archive = no
map hidden = no
map system = no
AFAIK create mask and directory mask are irrelevant in case of
inheritance of permissions - that's why they are uncommented.
Thanx in advance for any help.
Best regards,
Ákos
--
NÉMETH, Ákos
e-mail: nemethakos at f-labor.mkt.bme.hu
web: http://f-labor.mkt.bme.hu/~akos
More information about the samba
mailing list