[Samba] permissions, and maybe a violation of the least surprise principle

Jeremy Allison jra at samba.org
Mon Nov 8 17:41:05 UTC 2021

On Mon, Nov 08, 2021 at 09:38:18AM -0600, Patrick Goetz via samba wrote:
>I'm down to the last step of my current re-implementation of Samba, 
>namely getting the permissions to work right.
>Here is the share section (+ some general) from my smb.conf file:
>   winbind refresh tickets = Yes
>   vfs objects = acl_xattr
>   comment = Share Directory
>   path = /data/share
>   guest ok = no
>   browseable = yes
>   writeable = yes
>   create mask = 0770
>   directory mask = 0770
>   # inherit permissions = yes
>   follow symlinks = yes

Check out the smb.conf parameters:

inherit acls
inherit owner
inherit permissions

Note that when you load "vfs objects = acl_xattr"
in order to make POSIX ACLs work as expected, the
module hard-codes the following parameters:

        /* Ensure we have the parameters correct if we're
          * using this module. */
         DEBUG(2,("connect_acl_xattr: setting 'inherit acls = true' "
                 "'dos filemode = true' and "
                 "'force unknown acl user = true' for service %s\n",
                 service ));

         lp_do_parameter(SNUM(handle->conn), "inherit acls", "true");
         lp_do_parameter(SNUM(handle->conn), "dos filemode", "true");
         lp_do_parameter(SNUM(handle->conn), "force unknown acl user", "true");

In addition, you can set the parameter "acl_xattr:ignore system acls"
which if set to true will cause smbd to only look at the Windows
permission on a file, not the POSIX ones. This is used on "appliance"
devices where the only access to the filesystem is via smbd.

Setting this also changes:

		create_mask = lp_create_mask(SNUM(handle->conn))|= 0666;

                 lp_do_parameter(SNUM(handle->conn), "directory mask", "0777");
                 lp_do_parameter(SNUM(handle->conn), "map archive", "no");
                 lp_do_parameter(SNUM(handle->conn), "map hidden", "no");
                 lp_do_parameter(SNUM(handle->conn), "map readonly", "no");
                 lp_do_parameter(SNUM(handle->conn), "map system", "no");
                 lp_do_parameter(SNUM(handle->conn), "store dos attributes",

This is a complex topic as what people want from ACLs in smbd
varies enourmously, and we are trying to (a) keep backwards compatibility
as far as possible and (b) allow people to get as close to Windows ACLs
as possible and (c) give the flexibility for people to work with Windows/POSIX/NFSv4
ACL models.

It's not easy :-).

More information about the samba mailing list