[Samba] security mask for extended ACL permissions / change of create mode for Samba

Németh Ákos Ferenc nemethakos at f-labor.mkt.bme.hu
Sun May 6 15:59:08 MDT 2012 

Dear All,

I manage a Debian Squeeze GNU/Linux (with kernel 2.6.32-5-686 #1 SMP) 
with Samba 3.5.6 (samba 2:3.5.6~dfsg-3squeeze8 package is installed).

I have a "test" directory with native Linux ACL permissions. getfacl 
test's output:

# file: test
# owner: akos
# group: grp
# flags: -s-
user::rwx
group::rwx
group:read:r-x
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:read:r-x
default:mask::rwx
default:other::---

If I create a new file (called linfile) under this directory, its 
permissions are the following: (as I expected)

# file: linfile
# owner: akos
# group: grp
user::rw-
group::rwx                      #effective:rw-
group:read:r-x                  #effective:r--
mask::rw-
other::---

If I create a new file (called winfile) under this directory via Samba 
(from another Linux machine or from another Windows machine), its 
permissions are the following: (as I didn't expect)

# file: winfile
# owner: akos
# group: grp
user::rw-
group::rw-
group:read:r-x
mask::rwx
other::---

My problem is regarding to the read group's (extended ACL) permissions 
or better saying regarding to the mask of extended ACL permissions. With 
other worlds the extended execute bit of the file disturb me.

The legacy owner group's permissions are correct because of the security 
mask of smb.conf, but I couldn't find a security mask which is valid for 
the extended permissions. As I read about it on the net, the base of the 
problem is that Linux's touch command and the samba file creation rutine 
use different mode(?)/umask(?) to create a new file. How can I change them?

I read the archive and the whole Google but I couldn't find a way how to 
solve this problem however sombody elses also wrote about this issue. 
:-) Please help me and please forgive me if I only missconfigured my 
system. :-)

The relevant part of the smb.conf:

[file-server]
     comment = File Server
     path = ***somewhere in the world - because of security reason***
     browsable = yes
     read only = no
     guest ok = no
#    create mask = 0660
#    directory mask = 0770
     security mask = 0666
     directory security mask = 7777
     inherit permissions = yes
     map archive = no
     map hidden = no
     map system = no

AFAIK create mask and directory mask are irrelevant in case of 
inheritance of permissions - that's why they are uncommented.

Thanx in advance for any help.

Best regards,
Ákos
-- 
NÉMETH, Ákos

e-mail: nemethakos at f-labor.mkt.bme.hu
web:    http://f-labor.mkt.bme.hu/~akos

More information about the samba mailing list