[Samba] Permission masks
John
samba at jelmail.com
Thu Feb 26 06:36:52 MST 2015
I've gotten to the bottom of the misleading permissions.
From "man acl":
> If the ACL has an ACL_MASK entry, the group permissions correspond to
the permissions of the ACL_MASK entry.
So, when you do "ls -l" on a file with an ACL containing a mask entry,
what you see is the "owner, MASK, other" permissions and not "owner,
GROUP, other" as you would expect.
See also http://unix.stackexchange.com/questions/147499 for a discussion
of this topic.
Now, in the world of Samba/Windows.... If I create a new directory (e.g.
mkdir /srv/samba-demo) it gets 755 permissions in accordance with my
umask. This is reflected by ls
$ mkdir /srv/samba-demo
$ ls -ld /srv/samba-demo
drwxr-xr-x 2 root root 4096 Feb 26 13:11 /srv/samba-demo
There is no ACL
$ getfacl -cp /srv/samba-demo
user::rwx
group::r-x
other::r-x
Everything is as one would expect.
I share it with an entry in smb.conf, as per
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs#Adding_a_new_share
[demo]
path = /srv/samba-demo
read only = no
I create a file in the directory; it gets 644 permissions:
$ touch /srv/samba-demo/foo.txt
$ ls -l /srv/samba-demo/foo.txt
-rw-r--r-- 1 root root 0 Feb 26 13:21 /srv/samba-demo/foo.txt
$ getfacl -cp /srv/samba-demo/foo.txt
user::rw-
group::r--
other::r--
All as one would expect. However, create a file on the share from
Windows and it's given an ACL mask and 744 permissions (I also wonder
why this isn't 644).
$ getfacl -cp /srv/samba-demo/bar.txt
user::rwx
group::r--
group:users:r--
group:3000000:rwx
mask::rwx
other::r--
which gives the misleading output in "ls" due to the mask.
$ ls -l /srv/samba-demo/bar.txt
-rwxrwxr--+ 1 3000000 users 0 Feb 26 13:25 /srv/samba-demo/bar.txt
Changing the directory permissions via Windows (properties->security)
generates an ACL mask in the same way.
So, that's what's going on. I have to admit to not having used acl on
the linux side very much. I learnt something today. Perhaps this info is
of use to others.
QED.
More information about the samba
mailing list