[Samba] security mask for extended ACL permissions / change of create mode for Samba
Nicolas Ecarnot
nicolas at ecarnot.net
Sun May 6 16:51:09 MDT 2012
Le 06/05/2012 23:59, Németh Ákos Ferenc a écrit :
> Dear All,
>
> I manage a Debian Squeeze GNU/Linux (with kernel 2.6.32-5-686 #1 SMP)
> with Samba 3.5.6 (samba 2:3.5.6~dfsg-3squeeze8 package is installed).
>
> I have a "test" directory with native Linux ACL permissions. getfacl
> test's output:
>
> # file: test
> # owner: akos
> # group: grp
> # flags: -s-
> user::rwx
> group::rwx
> group:read:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:group::rwx
> default:group:read:r-x
> default:mask::rwx
> default:other::---
>
> If I create a new file (called linfile) under this directory, its
> permissions are the following: (as I expected)
>
> # file: linfile
> # owner: akos
> # group: grp
> user::rw-
> group::rwx #effective:rw-
> group:read:r-x #effective:r--
> mask::rw-
> other::---
>
> If I create a new file (called winfile) under this directory via Samba
> (from another Linux machine or from another Windows machine), its
> permissions are the following: (as I didn't expect)
>
> # file: winfile
> # owner: akos
> # group: grp
> user::rw-
> group::rw-
> group:read:r-x
> mask::rwx
> other::---
>
> My problem is regarding to the read group's (extended ACL) permissions
> or better saying regarding to the mask of extended ACL permissions. With
> other worlds the extended execute bit of the file disturb me.
>
> The legacy owner group's permissions are correct because of the security
> mask of smb.conf, but I couldn't find a security mask which is valid for
> the extended permissions. As I read about it on the net, the base of the
> problem is that Linux's touch command and the samba file creation rutine
> use different mode(?)/umask(?) to create a new file. How can I change them?
>
> I read the archive and the whole Google but I couldn't find a way how to
> solve this problem however sombody elses also wrote about this issue.
> :-) Please help me and please forgive me if I only missconfigured my
> system. :-)
>
> The relevant part of the smb.conf:
>
> [file-server]
> comment = File Server
> path = ***somewhere in the world - because of security reason***
> browsable = yes
> read only = no
> guest ok = no
> # create mask = 0660
> # directory mask = 0770
> security mask = 0666
> directory security mask = 7777
> inherit permissions = yes
> map archive = no
> map hidden = no
> map system = no
>
> AFAIK create mask and directory mask are irrelevant in case of
> inheritance of permissions - that's why they are uncommented.
>
> Thanx in advance for any help.
>
> Best regards,
> Ákos
Three days ago, I discovered the exact same issue.
I have plenty of previous samba 3.0.something samba servers on RHEL 5.6
running fine with ACLs, and they behave like expected by me and by Ákos.
But on a recent install on Ubuntu oneiric and samba 3.5..., I had to add
the create and directory modes for them to respect the previous behaviour.
I took the time to checks the diffs between the 'testparm -v' (please
not the -v ) between RHEL/smb3.0 and Ubuntu/smb3.5 but clearly saw NO
difference.
So for the time being, my workaround is the use of create and dir modes,
but I'd be glad to be enlighted on that situation.
--
Nicolas Ecarnot
More information about the samba
mailing list