[Samba] icacls 'DENY' and Unix user execute bit

Ken Bass kbass at kenbass.com
Mon Nov 22 18:14:38 UTC 2021


On 11/22/21 12:12 PM, Patrick Goetz via samba wrote:
>
>
> On 11/20/21 11:36, Ken Bass via samba wrote:
>> I don't think that is going to work since I cannot control that the 
>> Linux application is messing with permissions. When files are created 
>> under Linux, the execute bit is typically not set.
>> So to support an application that can run on Windows and on Linux 
>> against the same share I need a solution that will work.
>
>
> Do you have a default umask set which is removing the "x" permission 
> under linux?  Normally, it should not happen that the x permissions 
> are modified when you edit a file unless your umask is something 
> strange like 0467.
>
> But this definitively settles for me whether or not it's a good idea 
> to CIFS mount Samba shares to a linux system: if it can't handle POSIX 
> ACL's, game over.
>
> As someone else mentioned, the standard way to mount filesystems linux 
> to linux is NFS, preferably NFSv4. But you can also use ssh-fuse, 
> which will tunnel the whole thing through ssh.
>

Correct, the editing of an existing file is not going to remove the 
execute permission bit. However, creating a new file will. And obviously 
applications create files all the time and I that is not a bug or a 
failure of a native Linux application.

 From what I have gleaned so far is that the current CIFS implementation 
is not compatible with SMB2 or SMB3 when it comes to using POSIX ACL. 
Only the old SMB1 supports this. My workaround is simply to not use 
acl_xattr and I can get things working with proper setup of users and 
groups.

Perhaps i will look into NFS or ssh-fuse in the future.

What I still do not understand is why removing the executable bit 
permission translated to a narrowing of the permission for writing.  But 
I am not going to waste anymore time on it.


More information about the samba mailing list