[Samba] Samba Xattr and Execute Bit always set.

steve steve at steve-ss.com
Fri Jan 24 05:46:11 MST 2014

On Thu, 2014-01-23 at 13:11 +0100, Prunk Dump wrote:
> Thank you very much for your help !
> >> Repeat: the x bit is NOT set. Gnome is looking at it with the same eyes
> >> as you before you began this thread
> Ok, so I need to understand this cifs viewpoint.
> [On the server]
> My network share is stored on a ext4 file system that support POSIX.1
> permissions, ACL and xattr. So if the server access the share directly
> _without a cifs mount_ the "rwx" bits have the classic UNIX sense,
> right ?
> On the server if I log as a samba4 user, winbind give me a an uid,gid
> and the "read' and "write" permissions seems to work well without
> passing through a cifs mount. Other teachers can't modify my files. It
> seems that a DOS<->UNIX mapping is not needed.
> But in this case the POSIX.1 and ACL execute bit make the files
> executable from the shell. So the file created from a windows client
> are executable if I log directly on the server.
> [On a windows client]
> When you say :
> >> Repeat: the x bit is NOT set.
> You mean that on the windows client the permission to execute the file
> is not set, right ? In the windows security tab you mean ?
> [On the linux client]
> When I mount the cifs share from a linux client a see exactly the same
> permissions with getfacl that when I access the file system directly.
> It is like a NFS share ! So Bash  treat the ACL like a classic Unix
> permissions and all the file are executable from the shell. A can
> execute a bash script created from windows.
> I have seen that it is possible to share a samba4 cifs share with
> NFS4. It seems the problem I have is exactly the same as keeping the
> compatibility between cifs and NFS4 on a same share.
Yep. No problem. But remember that you must not re-export the cifs
share. You must export the raw share from the same filesystem on the
same server. Also remember that if you share cifs and nfs4 on the same
newtork you are going to have big file locking problems. cifs is
actually faster these days than nfs so for us it was no problem. cifs
for both windows and Linux clients.
> > Unfortunately, Nautilus (from what I recall) doesn’t handle POSIX ACLs correctly. In KDE, we finally got kio_file (the backend to Dolphin and Konqueror in file manager mode) to treat this correctly.
> >
> Bash can execute the file on the share. It is not only a Gnome problem.
> Thanks ! Baptiste.

Hi. Yes. The file is executable in bash. It is impossible to map
posix/xattr <--> ntacl _exactly_. But what you have found is about as
bad as it gets. It's not usually a problem though. How often do you
develop bash scripts on a windows client? If your can't live with that,
then the only way forward is to give each teacher their own share. But
really in the end, most of the files you create anywhere on any share
would be meaningless if you attempted to run them. I'm thinking of
trying to execute e.g. a school report: sh school-report isn't going to
get you very far!

More information about the samba mailing list