[Samba] Samba-created files with POSIX ACLs gaining execute bit

christian russell christian.baltini at gmail.com
Tue Dec 18 02:56:04 UTC 2018 

Hi all,

I have a Samba share set up using POSIX ACLs as the permissions backend.  I am seeing an issue where files created via the Samba get execute permissions whereas files created via shell do not.  Here’s my demonstration using “share2” as the root of my share:

[root at samba srv]# ls -l
total 0
drwxrwx---+ 2 root root 65 Dec 17 18:40 share2
[root at samba srv]# getfacl share2/
# file: share2/
# owner: root
# group: root
user::rwx
group::rwx
group:share2_ro:r-x
group:share2_rw:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx		#effective:rw-
default:group:share2_ro:r-x	#effective:r--
default:group:share2_rw:rwx	#effective:rw-
default:mask::rw-
default:other::---

[root at samba srv]# ls -l share2/
total 0
-rw-rw----+ 1 christian users 0 Dec 17 18:39 file_via_shell
-rwxrwx---+ 1 christian root  0 Dec 17 18:40 file_via_smb
[root at samba srv]# getfacl share2/*
# file: share2/file_via_shell
# owner: christian
# group: users
user::rw-
group::rwx			#effective:rw-
group:share2_ro:r-x		#effective:r--
group:share2_rw:rwx		#effective:rw-
mask::rw-
other::---

# file: share2/file_via_smb
# owner: christian
# group: root
user::rwx
user:christian:rwx
group::rw-
group:root:rw-
group:share2_ro:r--
group:share2_rw:rw-
mask::rwx
other::—

This bug appears to show something similar: https://bugzilla.samba.org/show_bug.cgi?id=10792 <https://bugzilla.samba.org/show_bug.cgi?id=10792>

These are the additions to my SMB.conf that may be relevant.  I have tried playing with the “create mask” and “force create mode” parameters without any luck.  As you can see below I also disabled the DOS - POSIX attribute mappings that use the execute bits to store attributes.

    read only = no
    unix extensions = no
    force group = root
    vfs objects = catia fruit streams_xattr
    fruit:aapl
    fruit:nfs_aces = no
    dos filemode = yes
    inherit acls = yes
    map archive = no
    map hidden = no
    map readonly = no

All things considered my end goal is go:
1.)  Have all directories 770
2.)  Have all files 660
3.)  Provide additional groups access to files with 660-equivalent ACLs
4.)  Provide additional groups access to files with 770-equivalent ACLs
5.)  Inherit the above settings to files and directories from the share’s root directory

Thanks in advance for any help!

Christian

More information about the samba mailing list