"Inherit Permissions" request for comments

Sun Jun 4 22:22:30 GMT 2000

Let's not forget John's post that OpenVMS does not have a setgid bit per se.
There may be other similar exceptions.  Shouldn't the Samba application be
administered in identical fashion across platforms?  I think so.

I do all my admin via shell as well, and personally I'd rather not have the
extra step of stripping of setgid bits as I move directories around; my
point being that there may be some benefit to us Unix lovers as well.

I think we are in agreement that 100% of the time "inherit permissions"
should not be used without setgid=yes behavior (whether that be through
setgid, or igo, or my patch).  Would anyone argue to the contrary?

That being the case, take a minute to re-evaluate my patch.  With two Samba
servers (one running my patch and one using setgid bits) create identical
shares, create identical sub-folders owned by various groups, and add
identical file structures on each from a Windows client.  Take a look at the
created file structures from the servers' points of view.  You'll see that
they remain identical with respect to user and group ownerships, and that
they
remain identical with respect to permissions except that one has setgid bits
recursively applied and the other does not.  There is IDENTICAL behavior
between setgid=yes and my patch to "inherit permissions"!

Additional benefits of the patch strategy would be that:

1) operating systems like OpenVMS would be managed symmetrically

2) since the default of "inherit permissions" is already 'no' and my patch
keys on "inherit permissions", the concept of defaulting igo=no as we've
just discussed is already implemented

3) there is no longer a conflict between setgid=yes and igo=no (an earlier
discussion); they mean the same thing and there'd be no "inherit group
owner" feature to confuse the administrator

4) adding an additional option to the conf file is not required; this is a
small benefit -- but with at least 29 synonymns available for conf file
attributes and at least two deprecated conf file attributes currently, it
may be worthwhile to be a little stingy

5) if having recursive setgid bits applied is desired behavior, the system
administrator can still set them on any share directory and have them
recursively applied as new sub-folders are created through the current
"inherit permissions implementation" even with the patch applied

6) I won't have to strip off setgid bits as I move stuff around ;-)

I threw in my support for David's suggestion.  It supplies the needed
functionality and appeared to be the most agreeable.  I'll stand by that.
But as you guys hash out the details, I see more and more that you're
hashing out the bahavior implemented in my patch -- only doing so with an
additional conf file option that leads to discussions concerning defaults
and conflicts.  Please keep this in the back of your minds as discussion
continues.

Thanks,
--Kyle

Kyle Herbert
Information Technology Director
First 'Net' Impressions, LLC

----- Original Message -----
From: Mayers, P J <p.mayers at ic.ac.uk>
To: Multiple recipients of list SAMBA-TECHNICAL <samba-technical at samba.org>
Sent: Sunday, June 04, 2000 10:15 AM
Subject: RE: "Inherit Permissions" request for comments

> Well, I disagree. But the default ought to be igo=no anyway, so no-one is
> forcing the use of this. "More like NT" is the entire point as far as I'm
> concerned - if I want to use Unix (and I do) I'll shell in, or use a CODA
> share.
>
> Cheers,
> Phil
>
> -----Original Message-----
> From: Peter Samuelson
> To: p.mayers at ic.ac.uk
> Cc: samba-technical at samba.org
> Sent: 6/4/00 1:17 PM
> Subject: RE: "Inherit Permissions" request for comments
>
>
> [Mayers, P J <p.mayers at ic.ac.uk>]
> > I wholly agree with obeying the setgid if igo=no.  To do otherwise
> > would be bad behaviour of the highest order.
>
> <aol>me too</aol>
>
> > It *might* be useful (I can't see myself ever using it) to have a
> > "force inherit group owner"
>
> Stop it already!  You're sick!  Sick, sick, sick! (:
>
> My opinion on the matter is that "inherit group owner" isn't needed at
> all.  I still can't see what's wrong with setgid directories, which
> have always worked fine for me, thankyouverymuch.
>
> I don't find "To be more like NT" very compelling.  We're not NT.
>
> I also don't find "So people who expect NT semantics won't have to
> learn about setgid" very compelling.  If they're willing to hunt down
> "igo" in `man smb.conf', they can find setgid.
>
> BUT.  If people insist, it should at least be called "ig", because
> "igo" is redundant.
>
> Peter