[Samba] Samba-created files with POSIX ACLs gaining execute bit
christian russell
christian.baltini at gmail.com
Tue Dec 18 02:56:04 UTC 2018
Hi all,
I have a Samba share set up using POSIX ACLs as the permissions backend. I am seeing an issue where files created via the Samba get execute permissions whereas files created via shell do not. Here’s my demonstration using “share2” as the root of my share:
[root at samba srv]# ls -l
total 0
drwxrwx---+ 2 root root 65 Dec 17 18:40 share2
[root at samba srv]# getfacl share2/
# file: share2/
# owner: root
# group: root
user::rwx
group::rwx
group:share2_ro:r-x
group:share2_rw:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx #effective:rw-
default:group:share2_ro:r-x #effective:r--
default:group:share2_rw:rwx #effective:rw-
default:mask::rw-
default:other::---
[root at samba srv]# ls -l share2/
total 0
-rw-rw----+ 1 christian users 0 Dec 17 18:39 file_via_shell
-rwxrwx---+ 1 christian root 0 Dec 17 18:40 file_via_smb
[root at samba srv]# getfacl share2/*
# file: share2/file_via_shell
# owner: christian
# group: users
user::rw-
group::rwx #effective:rw-
group:share2_ro:r-x #effective:r--
group:share2_rw:rwx #effective:rw-
mask::rw-
other::---
# file: share2/file_via_smb
# owner: christian
# group: root
user::rwx
user:christian:rwx
group::rw-
group:root:rw-
group:share2_ro:r--
group:share2_rw:rw-
mask::rwx
other::—
This bug appears to show something similar: https://bugzilla.samba.org/show_bug.cgi?id=10792 <https://bugzilla.samba.org/show_bug.cgi?id=10792>
These are the additions to my SMB.conf that may be relevant. I have tried playing with the “create mask” and “force create mode” parameters without any luck. As you can see below I also disabled the DOS - POSIX attribute mappings that use the execute bits to store attributes.
read only = no
unix extensions = no
force group = root
vfs objects = catia fruit streams_xattr
fruit:aapl
fruit:nfs_aces = no
dos filemode = yes
inherit acls = yes
map archive = no
map hidden = no
map readonly = no
All things considered my end goal is go:
1.) Have all directories 770
2.) Have all files 660
3.) Provide additional groups access to files with 660-equivalent ACLs
4.) Provide additional groups access to files with 770-equivalent ACLs
5.) Inherit the above settings to files and directories from the share’s root directory
Thanks in advance for any help!
Christian
More information about the samba
mailing list