[Samba] file permissions with inherit permission + ACL's - Samba

This is a discussion on [Samba] file permissions with inherit permission + ACL's - Samba ; Hi, I have a share (testshare) where different unix groups (testgroup1, testgroup2) should have access to. But I want that new files are only created with 660 permissions. Here are the ACL's of testshare: # file: testshare # owner: ralfgro ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: [Samba] file permissions with inherit permission + ACL's

  1. [Samba] file permissions with inherit permission + ACL's

    Hi,

    I have a share (testshare) where different unix groups (testgroup1,
    testgroup2) should have access to. But I want that new files are only
    created with 660 permissions.

    Here are the ACL's of testshare:

    # file: testshare
    # owner: ralfgro
    # group: ve
    user::rwx
    group::rwx
    group:testgroup1:rwx
    group:testgroup2:rwx
    mask::rwx
    other::---
    default:user::rwx
    default:group::---
    default:group:testgroup1:rwx
    default:group:testgroup2:rwx
    default:mask::rwx
    defaultther::---

    I created a new directory and a new file in this share.

    drwxrws---+ 2 ralfgro ve 6 2007-04-18 17:28 testdir
    -rwxrwx---+ 1 ralfgro ve 0 2007-04-18 17:28 testfile.txt


    # file: testdir
    # owner: ralfgro
    # group: ve
    user::rwx
    group::---
    group:testgroup1:rwx
    group:testgroup2:rwx
    mask::rwx
    other::---
    default:user::rwx
    default:group::---
    default:group:testgroup1:rwx
    default:group:testgroup2:rwx
    default:mask::rwx
    defaultther::---

    The permissions of this new directory are fine. But new files should be
    created with 660 permissions, not 770.

    # file: testfile.txt
    # owner: ralfgro
    # group: ve
    user::rwx
    group::---
    group:testgroup1:rwx
    group:testgroup2:rwx
    mask::rwx
    other::---



    This is the relevant part of smb.conf:

    [testshare]
    force create mode = 0660
    create mask = 0660
    force directory mode = 2770
    directory security mask = 2770
    force directory security mode = 0000
    directory mask = 2770
    force security mode = 0000
    security mask = 0770
    inherit acls = yes
    inherit permissions = yes
    map archive = no
    map system = no
    ...

    Some of the options might be needless now, but I needed them as I
    used 'force group = ...' instead of 'inherit permissions'.


    I already played with the default mask ACL, but then I always ended with no
    executable bit on files _and_ directories which denies access to the new
    created directories...

    Any ideas?

    Ralf
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. RE: [Samba] file permissions with inherit permission + ACL's



    "drwxrws---+ 2 ralfgro ve 6 2007-04-18 17:28 testdir"

    2770 [drwxrws--] permissions will force inherit at the file level
    system, ignoring Samba. Set the directory to 0770 permissions, and new
    items would be created with 660 as per smb.conf

    Other thing is to insure that the main group for the user is the same
    for all users.

    Carlos

    -----Original Message-----
    From: Ralf Gross
    Sent: Wednesday, April 18, 2007 11:45 AM

    defaultther::---

    I created a new directory and a new file in this share.

    drwxrws---+ 2 ralfgro ve 6 2007-04-18 17:28 testdir
    -rwxrwx---+ 1 ralfgro ve 0 2007-04-18 17:28 testfile.txt


    # file: testdir
    # owner: ralfgro
    # group: ve
    user::rwx
    group::---
    group:testgroup1:rwx
    group:testgroup2:rwx
    mask::rwx
    other::---
    default:user::rwx
    default:group::---
    default:group:testgroup1:rwx
    default:group:testgroup2:rwx
    default:mask::rwx
    defaultther::---

    The permissions of this new directory are fine. But new files should be
    created with 660 permissions, not 770.

    # file: testfile.txt
    # owner: ralfgro
    # group: ve
    user::rwx
    group::---
    group:testgroup1:rwx
    group:testgroup2:rwx
    mask::rwx
    other::---



    This is the relevant part of smb.conf:

    [testshare]
    force create mode = 0660
    create mask = 0660
    force directory mode = 2770
    directory security mask = 2770
    force directory security mode = 0000
    directory mask = 2770
    force security mode = 0000
    security mask = 0770
    inherit acls = yes
    inherit permissions = yes
    map archive = no
    map system = no
    ...

    Some of the options might be needless now, but I needed them as I used
    'force group = ...' instead of 'inherit permissions'.


    I already played with the default mask ACL, but then I always ended with
    no executable bit on files _and_ directories which denies access to the
    new created directories...

    Any ideas?

    Ralf
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. Re: [Samba] file permissions with inherit permission + ACL's

    Carlos Rivera-Jones schrieb:
    >
    > "drwxrws---+ 2 ralfgro ve 6 2007-04-18 17:28 testdir"
    >
    > 2770 [drwxrws--] permissions will force inherit at the file level
    > system, ignoring Samba. Set the directory to 0770 permissions, and new
    > items would be created with 660 as per smb.conf


    I removed the gid bit, but this doesn't change the permissions of new
    files. They are still 770.

    ls -la testshare
    insgesamt 8
    drwxrwx---+ 2 ralfgro ve 25 2007-04-18 17:57 .
    drwxr-xr-x 5 root root 63 2007-04-18 17:55 ..
    -rwxrwx---+ 1 ralfgro ralfgro 0 2007-04-18 17:56 testfile.txt

    > Other thing is to insure that the main group for the user is the same
    > for all users.


    Hm, the users that access this share are member of many groups and the
    main group will not always be the one of this share. But I think this
    will be handled by the default ACL's.

    Ralf
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  4. [Samba] Re: file permissions with inherit permission + ACL's

    "Ralf Gross" wrote in message
    news:20070418154511.GA26699@p15145560.pureserver.i nfo...
    > Hi,
    >
    > I have a share (testshare) where different unix groups (testgroup1,
    > testgroup2) should have access to. But I want that new files are only
    > created with 660 permissions.
    >
    > Here are the ACL's of testshare:
    >
    > # file: testshare
    > # owner: ralfgro
    > # group: ve
    > user::rwx
    > group::rwx
    > group:testgroup1:rwx
    > group:testgroup2:rwx
    > mask::rwx
    > other::---
    > default:user::rwx
    > default:group::---
    > default:group:testgroup1:rwx
    > default:group:testgroup2:rwx
    > default:mask::rwx
    > defaultther::---
    >
    > I created a new directory and a new file in this share.
    >
    > drwxrws---+ 2 ralfgro ve 6 2007-04-18 17:28 testdir
    > -rwxrwx---+ 1 ralfgro ve 0 2007-04-18 17:28 testfile.txt
    >
    >
    > # file: testdir
    > # owner: ralfgro
    > # group: ve
    > user::rwx
    > group::---
    > group:testgroup1:rwx
    > group:testgroup2:rwx
    > mask::rwx
    > other::---
    > default:user::rwx
    > default:group::---
    > default:group:testgroup1:rwx
    > default:group:testgroup2:rwx
    > default:mask::rwx
    > defaultther::---
    >
    > The permissions of this new directory are fine. But new files should be
    > created with 660 permissions, not 770.
    >
    > # file: testfile.txt
    > # owner: ralfgro
    > # group: ve
    > user::rwx
    > group::---
    > group:testgroup1:rwx
    > group:testgroup2:rwx
    > mask::rwx
    > other::---
    >
    >
    >
    > This is the relevant part of smb.conf:
    >
    > [testshare]
    > force create mode = 0660
    > create mask = 0660
    > force directory mode = 2770
    > directory security mask = 2770
    > force directory security mode = 0000
    > directory mask = 2770
    > force security mode = 0000
    > security mask = 0770
    > inherit acls = yes
    > inherit permissions = yes
    > map archive = no
    > map system = no
    > ...
    >
    > Some of the options might be needless now, but I needed them as I
    > used 'force group = ...' instead of 'inherit permissions'.
    >
    >
    > I already played with the default mask ACL, but then I always ended with
    > no
    > executable bit on files _and_ directories which denies access to the new
    > created directories...
    >
    > Any ideas?
    >
    > Ralf
    > --
    > To unsubscribe from this list go to the following URL and read the
    > instructions: https://lists.samba.org/mailman/listinfo/samba
    >


    Ralf,

    What would happen if you removed the default entries from your directory
    ACLs? It looks to me like the default ACLs are being applied from the
    directory to the newly created file. I believe that POSIX ACLs do this by
    design.

    Thanks
    Jay



    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  5. Re: [Samba] Re: file permissions with inherit permission + ACL's

    Jay Flory schrieb:
    > > I have a share (testshare) where different unix groups (testgroup1,
    > > testgroup2) should have access to. But I want that new files are only
    > > created with 660 permissions.
    > >
    > > Here are the ACL's of testshare:
    > >
    > > # file: testshare
    > > # owner: ralfgro
    > > # group: ve
    > > user::rwx
    > > group::rwx
    > > group:testgroup1:rwx
    > > group:testgroup2:rwx
    > > mask::rwx
    > > other::---
    > > default:user::rwx
    > > default:group::---
    > > default:group:testgroup1:rwx
    > > default:group:testgroup2:rwx
    > > default:mask::rwx
    > > defaultther::---
    > > [snip]
    > > I already played with the default mask ACL, but then I always ended with
    > > no
    > > executable bit on files _and_ directories which denies access to the new
    > > created directories...

    >
    > What would happen if you removed the default entries from your directory
    > ACLs? It looks to me like the default ACLs are being applied from the
    > directory to the newly created file. I believe that POSIX ACLs do this by
    > design.


    But I need the default directory ACLs to give the 2 groups rights on
    all new created files and directories in this share, or am I wrong
    about this? The only thing I don't want is the executable bit on
    files.

    Ralf
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  6. [Samba] Re: Re: file permissions with inherit permission + ACL's


    "Ralf Gross" wrote in message
    news:20070419075232.GC26699@p15145560.pureserver.i nfo...
    > Jay Flory schrieb:
    >> > I have a share (testshare) where different unix groups (testgroup1,
    >> > testgroup2) should have access to. But I want that new files are only
    >> > created with 660 permissions.
    >> >
    >> > Here are the ACL's of testshare:
    >> >
    >> > # file: testshare
    >> > # owner: ralfgro
    >> > # group: ve
    >> > user::rwx
    >> > group::rwx
    >> > group:testgroup1:rwx
    >> > group:testgroup2:rwx
    >> > mask::rwx
    >> > other::---
    >> > default:user::rwx
    >> > default:group::---
    >> > default:group:testgroup1:rwx
    >> > default:group:testgroup2:rwx
    >> > default:mask::rwx
    >> > defaultther::---
    >> > [snip]
    >> > I already played with the default mask ACL, but then I always ended
    >> > with
    >> > no
    >> > executable bit on files _and_ directories which denies access to the
    >> > new
    >> > created directories...

    >>
    >> What would happen if you removed the default entries from your directory
    >> ACLs? It looks to me like the default ACLs are being applied from the
    >> directory to the newly created file. I believe that POSIX ACLs do this
    >> by
    >> design.

    >
    > But I need the default directory ACLs to give the 2 groups rights on
    > all new created files and directories in this share, or am I wrong
    > about this? The only thing I don't want is the executable bit on
    > files.
    >
    > Ralf
    > --
    > To unsubscribe from this list go to the following URL and read the
    > instructions: https://lists.samba.org/mailman/listinfo/samba
    >


    Ralf,

    I believe that Samba, with the "inherit acls = yes" setting, is designed to
    set the permissions on the new subdirectories. The Definitive Guide to
    Samba 3 puts it this way "When set to Yes, Samba copies a directory's ACLs
    when creating subdirectories within it. The default value of No sets
    directory permissions according to the directory mask, force directory mode,
    and inherit permissions options instead".

    If I am correct then the default ACL entries on your directory is redundant
    for new sub directories and interfering when Samba tries to set permissions
    on the new files (inherit permissions).

    Thanks
    Jay



    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  7. Re: [Samba] Re: Re: file permissions with inherit permission + ACL's

    Jay Flory schrieb:
    >
    > "Ralf Gross" wrote in message
    > news:20070419075232.GC26699@p15145560.pureserver.i nfo...
    > > Jay Flory schrieb:
    > >> > I have a share (testshare) where different unix groups (testgroup1,
    > >> > testgroup2) should have access to. But I want that new files are only
    > >> > created with 660 permissions.
    > >> >
    > >> > Here are the ACL's of testshare:
    > >> >
    > >> > # file: testshare
    > >> > # owner: ralfgro
    > >> > # group: ve
    > >> > user::rwx
    > >> > group::rwx
    > >> > group:testgroup1:rwx
    > >> > group:testgroup2:rwx
    > >> > mask::rwx
    > >> > other::---
    > >> > default:user::rwx
    > >> > default:group::---
    > >> > default:group:testgroup1:rwx
    > >> > default:group:testgroup2:rwx
    > >> > default:mask::rwx
    > >> > defaultther::---
    > >> > [snip]
    > >> > I already played with the default mask ACL, but then I always ended
    > >> > with
    > >> > no
    > >> > executable bit on files _and_ directories which denies access to the
    > >> > new
    > >> > created directories...
    > >>
    > >> What would happen if you removed the default entries from your directory
    > >> ACLs? It looks to me like the default ACLs are being applied from the
    > >> directory to the newly created file. I believe that POSIX ACLs do this
    > >> by
    > >> design.

    > >
    > > But I need the default directory ACLs to give the 2 groups rights on
    > > all new created files and directories in this share, or am I wrong
    > > about this? The only thing I don't want is the executable bit on
    > > files.
    > >

    > I believe that Samba, with the "inherit acls = yes" setting, is designed to
    > set the permissions on the new subdirectories. The Definitive Guide to
    > Samba 3 puts it this way "When set to Yes, Samba copies a directory's ACLs
    > when creating subdirectories within it. The default value of No sets
    > directory permissions according to the directory mask, force directory mode,
    > and inherit permissions options instead".
    >
    > If I am correct then the default ACL entries on your directory is redundant
    > for new sub directories and interfering when Samba tries to set permissions
    > on the new files (inherit permissions).


    I tried different settings, and it's basicially working with either
    'inherit permissions' or 'inherit acls' + correct ACLs. But new files
    are still created with the x-bit. I'm beginning to think, that there
    is no way to prevent smb from setting this bit if the groups should
    get access to new created directories.

    My goal was:

    - different groups with (maybe different) rights on all
    new files/directories
    - file should have only 660 permissions (no x-bit)

    Ralf
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread