[Samba] Samba Xattr and Execute Bit always set.

Sat Jan 25 02:12:19 MST 2014

2014/1/24 steve <steve at steve-ss.com>:
> On Thu, 2014-01-23 at 13:11 +0100, Prunk Dump wrote:
>> Thank you very much for your help !
>>
>> >> Repeat: the x bit is NOT set. Gnome is looking at it with the same eyes
>> >> as you before you began this thread
>>
>> Ok, so I need to understand this cifs viewpoint.
>>
>> [On the server]
>>
>> My network share is stored on a ext4 file system that support POSIX.1
>> permissions, ACL and xattr. So if the server access the share directly
>> _without a cifs mount_ the "rwx" bits have the classic UNIX sense,
>> right ?
>>
>> On the server if I log as a samba4 user, winbind give me a an uid,gid
>> and the "read' and "write" permissions seems to work well without
>> passing through a cifs mount. Other teachers can't modify my files. It
>> seems that a DOS<->UNIX mapping is not needed.
>>
>> But in this case the POSIX.1 and ACL execute bit make the files
>> executable from the shell. So the file created from a windows client
>> are executable if I log directly on the server.
>>
>> [On a windows client]
>>
>> When you say :
>>
>> >> Repeat: the x bit is NOT set.
>>
>> You mean that on the windows client the permission to execute the file
>> is not set, right ? In the windows security tab you mean ?
>>
>> [On the linux client]
>>
>> When I mount the cifs share from a linux client a see exactly the same
>> permissions with getfacl that when I access the file system directly.
>> It is like a NFS share ! So Bash  treat the ACL like a classic Unix
>> permissions and all the file are executable from the shell. A can
>> execute a bash script created from windows.
>>
>> I have seen that it is possible to share a samba4 cifs share with
>> NFS4. It seems the problem I have is exactly the same as keeping the
>> compatibility between cifs and NFS4 on a same share.
>>
> Yep. No problem. But remember that you must not re-export the cifs
> share. You must export the raw share from the same filesystem on the
> same server. Also remember that if you share cifs and nfs4 on the same
> newtork you are going to have big file locking problems. cifs is
> actually faster these days than nfs so for us it was no problem. cifs
> for both windows and Linux clients.
>>
>> > Unfortunately, Nautilus (from what I recall) doesn’t handle POSIX ACLs correctly. In KDE, we finally got kio_file (the backend to Dolphin and Konqueror in file manager mode) to treat this correctly.
>> >
>>
>> Bash can execute the file on the share. It is not only a Gnome problem.
>>
>> Thanks ! Baptiste.
>
> Hi. Yes. The file is executable in bash. It is impossible to map
> posix/xattr <--> ntacl _exactly_. But what you have found is about as
> bad as it gets. It's not usually a problem though. How often do you
> develop bash scripts on a windows client? If your can't live with that,
> then the only way forward is to give each teacher their own share. But
> really in the end, most of the files you create anywhere on any share
> would be meaningless if you attempted to run them. I'm thinking of
> trying to execute e.g. a school report: sh school-report isn't going to
> get you very far!
> HTH
> Steve
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Thank you for your explanations ! This is very instructive !

You're right, the execute bit is just for convenience there. In all
cases it is possible to launch excutables on UNIX with only the read
permission.

> Hi. Yes. The file is executable in bash. It is impossible to map
> posix/xattr <--> ntacl _exactly_.

Here come my last question...

If, from the linux cifs client or directly on the server, I remove the
user UNIX acl executable bit with fsetacl, the files are not execuble
anymore from all the UNIX clients through cifs. And when I mount the
share from windows, I can't find any change in the file
permissions/modes.

So what is the usage of the unixACL x bit on the  samba's posix/xattr
<--> ntacl mapping ?

And if it is not used, why a can't force samba to disable this x bit
on new files to obtain perfect UNIX compatibility ?

Thanks,

Baptiste.