[Samba] permissions, and maybe a violation of the least surprise principle

Rowland Penny rpenny at samba.org
Tue Nov 9 18:45:27 UTC 2021


On Tue, 2021-11-09 at 08:19 -0600, Patrick Goetz via samba wrote:
> OK, I think I'm starting to absorb the idiomatic usage of permissions
> in 
> Windows. The group always just defaults to Domain Users and then you 
> control access through filesystem permissions.
> 
> However, (see below)
> 
> On 11/8/21 16:50, L.P.H. van Belle via samba wrote:
> > I'll add my view on it.
> > 
> > Windows can only hold 1 primary group for a user, which is by
> > "Domain Users".
> > So,yes, every file holds the "domain users" by default. Lets say
> > GID 10000 is assigned.
> > 
> > By example.
> > We have 2 users, bugger and bogger.
> > Bugger is member of "domain users" (GID 10000) and SomeUseless
> > group. (GID 10001)
> > Bogger is member of "domain users" (GID 10000) and Staff group.
> > (GID 10002)
> > 
> >  From a windows machine, default rights are set as you see in you
> > output.
> > Which is all correct as far is see.
> > 
> > Now, let remove the windows thoughts and just use POSIX.
> > You change the default group in windows for both users to its group
> > with GID.
> > 
> > Bogger places a file in the SomeUseless group, so bugger can open
> > it.
> > But the file owner now is bogger:staff, bugger isnt a member,
> > so to bad he cant open/change it, even if its in the right folder.
> > 
> > This is why, i use in a  "linux with mixed windows" rights setup
> > the windows defaults
> > 
> > So, all "file rights" are "domain users" as group and every member
> > kan open/change it.
> > The fixes the above rights problem.
> > 
> > On the "folder part".
> > The acl is obeyed from windows and linux users cant enter it.
> > You use a group as security group to allow access only.
> > 
> > Only one important part, or you need to change rights later on.
> > Set the UID/GIDS first thing in the objectes, before you create
> > folders, or the GID doesnt show/is set.
> > Still need to look better into that, only so little time currently.
> > 
> > Use from windows to posix are key "Creator Owner" and "Creator
> > Group" (mainly creator group)
> > 
> > Windows		: Posix
> > ( Creator owner ) : 1770 (through sticky bit) ( normaly chmod 4770)
> > ( creator group ) : chmod 2770
> > ( creator owner and group ) : chmod 3770
> > 
> > https://chmodcommand.com/ has a nice explantion on the i at sticky
> > bit and SetGid.
> > 
> 
> I'm not seeing what the setuid/setgid bits are doing for Windows 
> permissions.  In particular, on linux at least the setuid bit is
> just 
> ignored when set on a directory (see the link just above).
> 
> I can see setting the setgid bit, as this means group permissions
> behave 
> property when set from linux, but this doesn't seem to do anything
> on 
> Windows permissions.  And when you save a file to the folder, the 
> default group set on the file is Domain Users.
> 
> And, as far as I can tell Creator Owner and Creator Group are set on 
> every folder regardless of whether or not the setuid/setgid is set.

Try reading the smb.conf manpage, specifically the 'inherit
permissions' section.

Rowland





More information about the samba mailing list