ACL + excel = problems with permissions
Olaf Frączyk
olaf at cbk.poznan.pl
Tue Jun 20 08:14:49 GMT 2006
On Mon, 2006-06-19 at 18:49 +0200, sylvain.david at etranges-libellules.fr
wrote:
> > Hi I have the same problem, and I hope you'll have the time to answer me.
> >
> > My system is :
> > Debian Sarge (stable) + samba Version 3.0.14a-Debian + ext3 acl enabled
> > my smb.conf is joined in this email
> > my client are under windows XP SP1, windows XP SP2, windows 2000 SP4.
> > They all use Office Xp 2003 (I'm lucky, they didn't have a lot of
> > version of office...)
> >
> > Description of the problem : Office modify ACLs on saving file and put
> > read only.
> >
> > - ACL status before : getfacal file01.xls :
> > # owner: root
> > # group: root
> > user::rwx
> > user:root:rwx
> > group::---
> > group:Projet_01:rwx
> > mask::rwx
> > other::---
> >
> > - user A, wich is in Projet_01 group, open file01.xls with excel 2003
> > and press ctrl S to save his modification. he get an error message :
> > share violation : file is stored, but re-open read only
> > - ACL status : getfacl file01.xls :
> > # owner: userA
> > # group: root
> > user::r--
> > user:root:rwx
> > user:reunion:rwx
> > group::---
> > group:Projet_01:rwx
> > mask::rwx
> > other::---
> >
> > I noticed that :
> > - user can through the security properties of the file get back the
> > good rights rwx. but... my users find that boring and they're right.
> > - if user have explicit rwx right on the file, even if he's not the
> > owner, there is no problem.
> > - this doesn't appened on windows 2000 server
> > - force create mode or create mask seems to change nothing.
> >
> > So, this appened when a user modify a file that he's not the owner AND
> > he don't have explicit rights AND with a microsoft office application.
> >
> > I think about a few solution, but i find all of them "dirty". Here
> > they are :
> > 1) using open office.
> > -> If I could, I surely do it, but, I need time to convert 60 people
> > loving excel and word to calc and writer. Even if they are all
> > programmers, trying to change habits is really hard. We exchange
> > documentation with other society which use ... ... excel, so for
> > compatibility reasons, we need excel. So even if it's a good solution,
> > it's hard to choose this solution. And... what if i noticed this
> > problem with another application ? This solution doesn't solve the
> > problem at the server side, but only in client side...
> >
> > 2) using a file monitor.
> > -> using gamin or any other file monitor to watch .xls and .doc file.
> > if a file is touched then apply the good rights (with the default
> > right of the parent directory...) This solution is dirty because my
> > server contain, a very very very lot of file, and I think it's a
> > bottleneck solution parsing all directories all the time. And, in real
> > situation, the error message of excel will appear anyway, because of
> > the timing.
> >
> > 3) hack samba code and add a trigger on write file, to execute a
> > script wich force to set the good ACL?
> > -> probably a bottleneck solution... but... the best for me... but, I
> > don't have the level to code it.
> >
> > 4) use the "force user" argument in smb.conf
> > -> it works. but... loosing the owner notion of the whole file system
> > is a desperate solution.
> >
> > 5) use explicit user rights on every files.
> > -> it works too. but it remove all the magic of using group. And for
> > now I have "only" 60 users... and what will I do with 200 ?
> >
> > 6) is there any office patch or registry key or office config, or
> > voodoo danse to do in order to repair the special way of save of
> > microsoft office ?
> > -> i found nothing on my friend google.
> >
> > 7) sending an email and pray you'll answer me something like : "I
> > found an evident solution and here it is" :)
> > -> I'm praying
> >
> Sorry I forget my smb.conf... Here he is.
>
> #
> -----------------------------------------------------------------------------
> # Global parameters
> #
> -----------------------------------------------------------------------------
> [global]
> dos charset = 850
> unix charset = ISO8859-1
> workgroup = elb-lyon
> netbios name = server02
> server string = server02.elb-lyon
> os level = 65
> domain logons = Yes
> domain master = Yes
> local master = Yes
> preferred master = Yes
> wins support = Yes
>
> obey pam restrictions = Yes
> passdb backend = tdbsam, guest
> passwd program = /usr/bin/passwd %u
> passwd chat = *New*UNIX*password* %n\n
> *ReType*new*UNIX*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
> passwd chat debug = Yes
> pam password change = Yes
> unix password sync = Yes
>
> syslog = 0
> log level = 2
> # log level max = 10
> log file = /var/log/samba/log.%m
> max log size = 10000
> dns proxy = No
> panic action = /usr/share/samba/panic-action %d
> invalid users = root2
>
> # paramètres samba utilisateur par defaut
> logon drive = P:
> logon home = \\server02\%U
> logon path = \\server02\profiles\%U
> logon script = %U.cmd
>
> # gestion des comptes posix automatique :)
> # Gestion des comptes POSIX
> add machine script = /usr/sbin/useradd -g sambamachines -c
> Machine -d /dev/null -s /bin/false '%u'
> add user script = /usr/sbin/useradd -g sambausers -c Utilisateur
> -d /dev/null -s /bin/false '%u'
> add group script = /usr/sbin/groupadd '%g'
> add user to group script = /usr/bin/gpasswd -a '%u' '%g'
> delete user script = /usr/sbin/userdel -r '%u'
> delete group script = /usr/sbin/groupdel '%g'
> delete user from group script = /usr/bin/gpasswd -d '%u' '%g'
> set primary group script = /usr/sbin/usermod -g '%g' '%u'
>
> veto files = /lost+found/ .recycle/ aquota.user/ aquota.group/
>
> guest account = guest
>
> hosts allow = 192.168.0. 127.
>
> #
> -----------------------------------------------------------------------------
> # Necessaire Domaine
> #
> -----------------------------------------------------------------------------
> [homes]
> path = /mnt/SAN01/vd3_home2/home2/%u
> comment = Home Directories
> valid users = %S
> guest ok = No
> writable = Yes
> create mask = 0700
> directory mask = 0700
> browseable = No
>
> [netlogon]
> path = /mnt/SAN01/vd3_home2/netlogon
> comment = Partage NetLogon
> valid users = @sambausers @sambaguests root
> guest ok = No
> read only = Yes
> browseable = No
>
> [profiles]
> path = /mnt/SAN01/vd3_home2/profiles
> comment = Profils utilisateurs
> valid users = @sambausers @sambaguests root
> guest ok = No
> writable = Yes
> create mode = 0700
> browseable = No
>
> #
> -----------------------------------------------------------------------------
> # Imprimantes
> #
> -----------------------------------------------------------------------------
> [printers]
> path = /tmp
> comment = All printers
> valid users = @sambausers
> guest ok = No
> create mask = 0700
> printable = Yes
> browseable = No
>
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/printers
>
> #
> -----------------------------------------------------------------------------
> # Partages :)
> #
> -----------------------------------------------------------------------------
> [vd1_echange]
> comment = Zone d'echange interne et FTP Pantin.
> path = /mnt/SAN01/vd1_echange
> valid users = root @sambaadmins @sambaguests @User_Standard
> guest ok = No
> writable = Yes
> #force create mode = 0770
> create mask = 0770
> directory mask = 0770
> browseable = yes
> inherit permissions = yes
> inherit acls = yes
> hide unreadable = Yes
>
> [vd2_gestion]
> comment = Administration, compta, gestion.
> path = /mnt/SAN01/vd2_gestion
> valid users = root @sambaadmins @Gestion_Level0,
> @Gestion_Level1, @Gestion_Level2, @Gestion_Level3
> guest ok = No
> writable = Yes
> #force create mode = 0770
> create mask = 0770
> directory mask = 0770
> browseable = Yes
> inherit permissions = yes
> inherit acls = yes
> hide unreadable = Yes
>
> [vd3_home2]
> comment = Dossiers privés
> path = /mnt/SAN01/vd3_home2
> valid users = root @sambaadmins
> guest ok = No
> writable = Yes
> #force create mode = 0770
> create mask = 0770
> directory mask = 0770
> browseable = Yes
> inherit permissions = yes
> inherit acls = yes
> hide unreadable = Yes
> csc policy = disable
>
> [vd4_archive]
> comment = Archives Design, Develop, Graphisme, Logiciels
> path = /mnt/SAN01/vd4_archive
> valid users = root @sambaadmins @User_Standard,
> @Archive_Develop, @Archive_Design, @Archive_Graphisme, @Archive_Logiciels
> guest ok = No
> writable = Yes
> #force create mode = 0770
> create mask = 0770
> directory mask = 0770
> browseable = Yes
> inherit permissions = yes
> inherit acls = yes
> hide unreadable = Yes
>
> [vd5_projet]
> comment = Les Projets
> path = /mnt/SAN01/vd5_projet
> valid users = root @sambaadmins @Projet_Asterix1,
> @Projet_Asterix2, @Projet_Asterix3, @Projet_AsterixCleopatre,
> @Projet_KetKal, @Projet_LaLune, @Projet_LuckyLuke, @Projet_PProject,
> @Projet_Tintin, @Projet_Wayans, @Projet_Zeus, @Projet_Arthur,
> @Projet_Commun, @Projet_Recherches @User_Sourcesafe
> guest ok = No
> writable = Yes
> #force create mode = 0770
> create mask = 0770
> directory mask = 0770
> browseable = Yes
> inherit permissions = yes
> inherit acls = yes
> hide unreadable = Yes
>
> [vd6_backup]
> comment = Backups [reservé admin]
> path = /mnt/SAN01/vd6_backup
> valid users = root @sambaadmins
> guest ok = No
> writable = Yes
> #force create mode = 0770
> create mask = 0770
> directory mask = 0770
> browseable = Yes
> inherit permissions = yes
> inherit acls = yes
> hide unreadable = Yes
>
> [vd7_video]
> comment = Montages Videos
> path = /mnt/SAN01/vd7_video
> valid users = root @sambaadmins @User_MontageVideo
> guest ok = No
> writable = Yes
> #force create mode = 0770
> create mask = 0770
> directory mask = 0770
> browseable = Yes
> inherit permissions = yes
> inherit acls = yes
> hide unreadable = Yes
>
Hi,
Having both "inherit acls" and "inherit permissions" set on the same
share doesn't make sense for me.
The first makes use of default acls, the latter just applies permissions
of parent directory.
What you want to do is to ensure that owner always has rwx bits set. You
should use: force security mode
[1_DYREKCJA]
force security mode = 0600
inherit acls = yes
comment = dyrekcja
path = /home/navi/1_DYREKCJA
writable = yes
printable = no
works for me.
AFAIR Jeremy Alison has fixed this, so with current samba it should work
without "force security mode", but I didn't test it.
Regards,
Olaf
--
Olaf Frączyk <olaf at cbk.poznan.pl>
More information about the samba-technical
mailing list