[Samba] Samba + ACLs: Can’t add group write permissions

Jochen Eggemann Jochen.Eggemann at nw-fva.de
Thu Mar 28 02:52:05 MDT 2013 

Am 28.03.2013 09:40, schrieb Quintus:
> Am Tue, 26 Mar 2013 19:38:48 +0100
> schrieb steve <steve at steve-ss.com>:
>>> WTF? Where did the write access for the group go?
>> Hi Marvin
> Hi Steve,
>
>> Just a thought but I found out the hard way that when there are acl's
>> set, e.g. in your file called test2, the -rw-r----- bit of the
>> listing bit bears little resemblance to what the actual permissions
>> are. Have you actually checked to see that the file test2 really
>> isn't group writeable? Maybe worth a quick test.
> I just tested it with another user and no, the file is really not
> group-writable. But I found another really mysterious behaviour... This
> time I’ve connected as user "steffi" who is in the "share" group as
> well:
>
> % sudo mount //avalon/share -t cifs -o user=steffi,gid=quintus /mnt
>
> I tried to create a file now as this user:
>
> ----------------------------------------------------
> (1067) [9:28:47 quintus at hades] /mnt
> % ls -ahl
> total 4.0K
> drwxrws---+  2 root    quintus    0 Mar 28 09:28 .
> drwxr-xr-x  20 root    root    4.0K Mar 19 17:32 ..
> -rw-rw----+  1 quintus quintus    0 Mar 26 14:54 test
> -rw-r-----+  1 quintus quintus    0 Mar 26 15:04 test2
> (1068) [9:29:29 quintus at hades] /mnt
> % touch test3
> touch: cannot touch ‘test3’: Permission denied
> (1069) [9:29:34 quintus at hades] /mnt
> % ls -ahl
> total 4.0K
> drwxrws---+  2 root    quintus    0 Mar 28 09:29 .
> drwxr-xr-x  20 root    root    4.0K Mar 19 17:32 ..
> -rw-rw----+  1 quintus quintus    0 Mar 26 14:54 test
> -rw-r-----+  1 quintus quintus    0 Mar 26 15:04 test2
> -rw-r-----+  1    1002 quintus    0 Mar 28 09:29 test3
> ----------------------------------------------------
>
> That is, I get a "permission denied" on the "touch" command, but the
> file is there nevertheless...? How is this possible at all? Even worse,
> I cannot write to the file I just created:
>
> (1070) [9:29:35 quintus at hades] /mnt
> % echo foo > test3
> zsh: permission denied: test3
>
> And no, the file is really empty (I’ve chceked it on the server via
> SSH). Writing to the files owned by someone else, but still in the
> "share" group doesn’t work either:
>
> (1071) [9:31:19 quintus at hades] /mnt
> % echo foo > test2
> zsh: permission denied: test2
>
> And again, this file really is empty.
>
> On the server, the permissions are reported like this:
>
> ----------------------------------------------------
> (433) [9:33:34 quintus at avalon] /srv/cifs/share
> % ls -ahl
> insgesamt 8,0K
> drwxrws---+ 2 root    share 4,0K 28. Mär 09:29 .
> drwxr-xr-x  7 root    root  4,0K 26. Mär 14:19 ..
> -rw-rw----+ 1 quintus share    0 26. Mär 14:54 test
> -rw-r-----+ 1 quintus share    0 26. Mär 15:04 test2
> -rw-r-----+ 1 steffi  share    0 28. Mär 09:29 test3
> (434) [9:33:41 quintus at avalon] /srv/cifs/share
> % getfacl test3
> # file: test3
> # owner: steffi
> # group: share
> user::rw-
> group::rwx			#effective:r--
> group:share:rwx			#effective:r--
> mask::r--
> other::---
> ----------------------------------------------------
>
> And I cannot write to the "test3" as user "quintus" on the server, but
> as user "steffi" it works (again, through SSH):
>
> ----------------------------------------------------
> (436) [9:35:32 quintus at avalon] /srv/cifs/share
> % echo foo > test3
> zsh: permission denied: test3
> (437) [9:36:55 quintus at avalon] /srv/cifs/share
> % ls -ahl
> insgesamt 8,0K
> drwxrws---+ 2 root    share 4,0K 28. Mär 09:29 .
> drwxr-xr-x  7 root    root  4,0K 26. Mär 14:19 ..
> -rw-rw----+ 1 quintus share    0 26. Mär 14:54 test
> -rw-r-----+ 1 quintus share    0 26. Mär 15:04 test2
> -rw-r-----+ 1 steffi  share    0 28. Mär 09:29 test3
> (438) [9:36:57 quintus at avalon] /srv/cifs/share
> % sudo su -s /bin/zsh - steffi
> [sudo] password for quintus:
> (1) [9:37:31 steffi at avalon] /
> % cd /srv/cifs/share
> (2) [9:37:35 steffi at avalon] /srv/cifs/share
> % echo foo > test3
> (3) [9:37:38 steffi at avalon] /srv/cifs/share
> % ls -ahl
> insgesamt 12K
> drwxrws---+ 2 root    share 4,0K 28. Mär 09:29 .
> drwxr-xr-x  7 root    root  4,0K 26. Mär 14:19 ..
> -rw-rw----+ 1 quintus share    0 26. Mär 14:54 test
> -rw-r-----+ 1 quintus share    0 26. Mär 15:04 test2
> -rw-r-----+ 1 steffi  share    4 28. Mär 09:37 test3
> (4) [9:37:39 steffi at avalon] /srv/cifs/share
> % cat test3
> foo
> ----------------------------------------------------
>
>> Cheers,
>> Steve
> Any idea?
>
> Vale,
> Marvin
>
>
>
Hi Marvin,

Just an idea:

I remeber having an issue with testing permissions on cifs mounted 
filesystems. I was using touch to create files and kept failing. It 
turned out I had to make sure the file size exeeded 0 for the test to 
succeed.

Mind you this was a couple of years ago and is possilbly not relevant 
any more.

Greatings, Jochen

More information about the samba mailing list