[Samba] Posix vs. Windows File/Directory Permissions

[Mike]

Klaus, thanks for the guidance and taking the time to clarify all these
points.


On Fri, May 15, 2015 at 6:06 PM, Klaus Hartnegg <hartnegg at uni-freiburg.de>
wrote:

> Am 15.05.2015 um 16:30 schrieb Reindl Harald:
>
>> the real problem in that thread is that the ordinary chmod/chown
>> permissions are called repeatly "acls" which is not wrong by the
>> definiton of "access control list" but mixing that with "windows ACLs"
>> and "posix ACLs" where on the FS layer we just have ACLs set with
>> "setfacl" it leads to total confusion and nobody knows what people are
>> talking about
>>
>
> Let's use the term access rights for a moment, to make sure that these
> points are absolutely clear:
>
> If the files on the server are mainly accessed through Samba, then it is
> usually better to use Windows to set all access rights. Samba will in this
> case adjust the Linux access rights such that they match the Windows access
> rights as closely as possible. In this case you do not need to care about
> Linux acls, just make sure that the file system supports them (and
> user-attrs), because Samba needs them.
>
> If access rights have been set from Windows, you should never try to use
> Linux to set different access rights for Linux users. Every modification
> done from Linux will erase the access rights that were set for this file or
> directory from Windows, even flipping just one bit, even changing the owner.
>
> Alternatively you can set all access rights in Linux. In this case you
> should use the samba option to disable the permissions tab in windows
> explorer. And you should learn Linux acls, because they are much more
> flexible than the old chmod bits for user-group-all. Linux uses acls in
> addition to the old permissions bits.
>
> The most irritating aspect of Linux-acls is that the bits shown by the
> "ls"-command for the group are replaced by the ones for acl-mask. This mas
> is a filter for all acl-rights. The group bits are still there, and in
> action, but "ls" cannot see them, and "chmod" cannot access them. The
> reason for this construct is that historically the usual method to
> temporarily lock everybody out of a directory is to clear the group bits.
> Redirecting group bit access to the acl-mask ensures that also all people
> are locked out who got access through an acl. Restoring the acl-mask also
> reactivates all acl-rights.
>
> Disturbing is the fact that one cannot simply do everything with
> Linux-acls, because there are always also the access rights of the owner.
> They are honoured before checking the acls. I do not know what to do if a
> user switches to a different team, and should loose the access rights to
> the old files. Windows does also know the concept of owner, and special
> permissions for that user, but such permissions are usually not set, and
> need not be set.
>
> hope this helps,
> Klaus
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>