[Samba] icacls 'DENY' and Unix user execute bit
Patrick Goetz
pgoetz at math.utexas.edu
Mon Nov 22 16:58:36 UTC 2021
On 11/20/21 07:10, Stefan Kania via samba wrote:
>
>
> Am 20.11.21 um 01:00 schrieb Ken Bass via samba:
>> chmod u-x test.txt
>
> NEVER EVER use chmod on a file or directory with ACLs. You are NOT
> changing permission you only change the mask. The mask is showing which
> permissions can have user/group/other as maximum. Only use setfacl to
> change permissions.
>
I thought the POSIX extended ACLs are just extending the permissions (so
actually, you are changing the permissions on the file).
I think what Stefan is alluding to is that changing basic permissions
can have a dramatic impact on *effective* POSIX ACLs because of the
principle of least surprise. To illustrate, suppose you have
[pgoetz at frog]$ ls -l foo
-rw-rw----+ 1 pgoetz pgoetz 0 Nov 22 10:49 foo
[pgoetz at frog active-directory]$ getfacl foo
# file: foo
# owner: pgoetz
# group: pgoetz
user::rw-
group::rw-
group:solr:rw-
mask::rw-
other::---
The solr group has rw permissions on this file. However, if I `chmod g-w`:
[pgoetz at frog active-directory]$ chmod g-w foo
[pgoetz at frog active-directory]$ ls -l foo
-rw-r-----+ 1 pgoetz pgoetz 0 Nov 22 10:49 foo
[pgoetz at frog active-directory]$ getfacl foo
# file: foo
# owner: pgoetz
# group: pgoetz
user::rw-
group::rw- #effective:r--
group:solr:rw- #effective:r--
mask::r--
other::---
The solr group also loses the ability to edit this file as a result,
even though technically solr group members still have rw permissions, as
shown above. Any permission granted through POSIX ACL can't surpass the
basic permissions on the file.
More information about the samba
mailing list