Andrew Wilson wrote:
| For us the Solaris ACL is being honoured by Samba but can result in
less
| permissions granted on destination files and directories than the
ACL
| stipulates, eg.
| ACL on a parent directory "test" is as follows:-
| mask:rwx
| However a file or a sub-directory created beneath "test" will be
granted
| less permissions for user tuser than desired, eg.
| # file: New Microsoft Word Document.doc
| mask:r--
| directories are the same, eg:
| mask:r-x
| I have found that this is an interaction with the
| "create mask" and "directory mask" samba parameters. For
the
| previous examples my create mask was 0744 and directory mask
| was 0755. If I change the create mask to 0774 and
| directory mask to 0775, I find that the acl is honoured correctly
| and produces files and directories with the correct permissions.
Thnak you, kind sir! I finally see what is happening.
The permission bits one sets when creating or
modifying a file or directory are ***also**
applied to the acl, so that if I say
"chmod g-w", all group ACLs get "w" removed.
To make it easy to revert, the implementation
uses a mask, which is set by the open, creat
or chmod call.
To make a long story short, you look at the "mask"
entry in the acl to see what the permission bits
for the grousp are. If you don't set enough group
bits in create mask and directory mask, the group
premissions in the ACLs are reduced.
Sounds like something for a FAQ...
Do I ever feel dumb!
--dave
[See also setfcal(1):
If you use the chmod(1) command to change the file group
owner permissions on a file with ACL entries, both the file
group owner permissions and the ACL mask are changed to the
new permissions. Be aware that the new ACL mask permissions
may change the effective permissions for additional users
and groups who have ACL entries on the file.
]
--
David Collier-Brown, | Always do right. This will gratify some people
185 Ellerslie Ave., | and astonish the rest. -- Mark Twain
Willowdale, Ontario | //www.oreilly.com/catalog/samba/author.html
Work: (905) 415-2849 Home: (416) 223-8968 Email: davecb@canada.sun.com
