[Samba] Posix vs. Windows File/Directory Permissions

Klaus Hartnegg hartnegg at uni-freiburg.de
Fri May 15 16:06:38 MDT 2015 

Am 15.05.2015 um 16:30 schrieb Reindl Harald:
> the real problem in that thread is that the ordinary chmod/chown
> permissions are called repeatly "acls" which is not wrong by the
> definiton of "access control list" but mixing that with "windows ACLs"
> and "posix ACLs" where on the FS layer we just have ACLs set with
> "setfacl" it leads to total confusion and nobody knows what people are
> talking about

Let's use the term access rights for a moment, to make sure that these 
points are absolutely clear:

If the files on the server are mainly accessed through Samba, then it is 
usually better to use Windows to set all access rights. Samba will in 
this case adjust the Linux access rights such that they match the 
Windows access rights as closely as possible. In this case you do not 
need to care about Linux acls, just make sure that the file system 
supports them (and user-attrs), because Samba needs them.

If access rights have been set from Windows, you should never try to use 
Linux to set different access rights for Linux users. Every modification 
done from Linux will erase the access rights that were set for this file 
or directory from Windows, even flipping just one bit, even changing the 
owner.

Alternatively you can set all access rights in Linux. In this case you 
should use the samba option to disable the permissions tab in windows 
explorer. And you should learn Linux acls, because they are much more 
flexible than the old chmod bits for user-group-all. Linux uses acls in 
addition to the old permissions bits.

The most irritating aspect of Linux-acls is that the bits shown by the 
"ls"-command for the group are replaced by the ones for acl-mask. This 
mas is a filter for all acl-rights. The group bits are still there, and 
in action, but "ls" cannot see them, and "chmod" cannot access them. The 
reason for this construct is that historically the usual method to 
temporarily lock everybody out of a directory is to clear the group 
bits. Redirecting group bit access to the acl-mask ensures that also all 
people are locked out who got access through an acl. Restoring the 
acl-mask also reactivates all acl-rights.

Disturbing is the fact that one cannot simply do everything with 
Linux-acls, because there are always also the access rights of the 
owner. They are honoured before checking the acls. I do not know what to 
do if a user switches to a different team, and should loose the access 
rights to the old files. Windows does also know the concept of owner, 
and special permissions for that user, but such permissions are usually 
not set, and need not be set.

hope this helps,
Klaus

More information about the samba mailing list