[Samba] Samba and POSIX ACLs
Sergei Gerasenko
gerases at gmail.com
Fri Aug 12 15:30:26 UTC 2016
Hi everybody,
I know this has been discussed ad naseum, but I can't find an answer to my
question precisely.
My version of samba is 4.2.10.
Here's my question. I have POSIX ACLs set on a directory like this:
# file: .
# owner: root
# group: admin
# flags: -s-
user::rwx
user:apache:rwx
group::rwx
group:admin:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:apache:rwx
default:group::rwx
default:group:admin:rwx
default:mask::rwx
default:other::---
When I create a file in that directory with the touch command on linux, I
get:
-rw-rw----+ 1 my_user_name admin 0 Aug 12 11:17 new
... which is what I want -- no exec bit set anywhere on the file itself
(though I do want it on a directory).
But when I create it through Samba, I get:
-rw-rwx---+ 1 my_user_name admin 0 Aug 12 11:07 new
I know that the ACL mask defines the maximum permissions and so since touch
uses the 0666 create mode, the exec bit is not set. So far so good.
Now to samba. The share has these controls:
...
create mask = 0664
...
When stracing the samba process, I see that 0664 is specified in the open
system call, but following that, setxattr is called (not sure by samba or
some kernel process), which must be setting the exec bit on the group?
...
96012 open("new", O_RDWR|O_CREAT|O_EXCL, 0664) = 40
96012 setxattr("New Text Document.txt", "system.posix_acl_access",
LONG_HEX_STRING_HERE, 52, 0) = 0
...
My question finally is: how do I make sure the exec bit on the group is *not
*set?
Thanks,
Sergei
More information about the samba
mailing list