Hi,
I have a share (testshare) where different unix groups (testgroup1,
testgroup2) should have access to. But I want that new files are only
created with 660 permissions.
Here are the ACL's of testshare:
# file: testshare
# owner: ralfgro
# group: ve
user::rwx
group::rwx
group:testgroup1:rwx
group:testgroup2:rwx
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:testgroup1:rwx
default:group:testgroup2:rwx
default:mask::rwx
default:other::---
I created a new directory and a new file in this share.
drwxrws---+ 2 ralfgro ve 6 2007-04-18 17:28 testdir
-rwxrwx---+ 1 ralfgro ve 0 2007-04-18 17:28 testfile.txt
# file: testdir
# owner: ralfgro
# group: ve
user::rwx
group::---
group:testgroup1:rwx
group:testgroup2:rwx
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:testgroup1:rwx
default:group:testgroup2:rwx
default:mask::rwx
default:other::---
The permissions of this new directory are fine. But new files should be
created with 660 permissions, not 770.
# file: testfile.txt
# owner: ralfgro
# group: ve
user::rwx
group::---
group:testgroup1:rwx
group:testgroup2:rwx
mask::rwx
other::---
This is the relevant part of smb.conf:
[testshare]
force create mode = 0660
create mask = 0660
force directory mode = 2770
directory security mask = 2770
force directory security mode = 0000
directory mask = 2770
force security mode = 0000
security mask = 0770
inherit acls = yes
inherit permissions = yes
map archive = no
map system = no
...
Some of the options might be needless now, but I needed them as I
used 'force group = ...' instead of 'inherit permissions'.
I already played with the default mask ACL, but then I always ended with no
executable bit on files _and_ directories which denies access to the new
created directories...
Any ideas?
Ralf
Carlos Rivera-Jones schrieb:> > "drwxrws---+ 2 ralfgro ve 6 2007-04-18 17:28 testdir" > > 2770 [drwxrws--] permissions will force inherit at the file level > system, ignoring Samba. Set the directory to 0770 permissions, and new > items would be created with 660 as per smb.confI removed the gid bit, but this doesn't change the permissions of new files. They are still 770. ls -la testshare insgesamt 8 drwxrwx---+ 2 ralfgro ve 25 2007-04-18 17:57 . drwxr-xr-x 5 root root 63 2007-04-18 17:55 .. -rwxrwx---+ 1 ralfgro ralfgro 0 2007-04-18 17:56 testfile.txt> Other thing is to insure that the main group for the user is the same > for all users.Hm, the users that access this share are member of many groups and the main group will not always be the one of this share. But I think this will be handled by the default ACL's. Ralf
Carlos Rivera-Jones
2007-Apr-18 16:04 UTC
[Samba] file permissions with inherit permission + ACL's
"drwxrws---+ 2 ralfgro ve 6 2007-04-18 17:28 testdir"
2770 [drwxrws--] permissions will force inherit at the file level
system, ignoring Samba. Set the directory to 0770 permissions, and new
items would be created with 660 as per smb.conf
Other thing is to insure that the main group for the user is the same
for all users.
Carlos
-----Original Message-----
From: Ralf Gross
Sent: Wednesday, April 18, 2007 11:45 AM
default:other::---
I created a new directory and a new file in this share.
drwxrws---+ 2 ralfgro ve 6 2007-04-18 17:28 testdir
-rwxrwx---+ 1 ralfgro ve 0 2007-04-18 17:28 testfile.txt
# file: testdir
# owner: ralfgro
# group: ve
user::rwx
group::---
group:testgroup1:rwx
group:testgroup2:rwx
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:testgroup1:rwx
default:group:testgroup2:rwx
default:mask::rwx
default:other::---
The permissions of this new directory are fine. But new files should be
created with 660 permissions, not 770.
# file: testfile.txt
# owner: ralfgro
# group: ve
user::rwx
group::---
group:testgroup1:rwx
group:testgroup2:rwx
mask::rwx
other::---
This is the relevant part of smb.conf:
[testshare]
force create mode = 0660
create mask = 0660
force directory mode = 2770
directory security mask = 2770
force directory security mode = 0000
directory mask = 2770
force security mode = 0000
security mask = 0770
inherit acls = yes
inherit permissions = yes
map archive = no
map system = no
...
Some of the options might be needless now, but I needed them as I used
'force group = ...' instead of 'inherit permissions'.
I already played with the default mask ACL, but then I always ended with
no executable bit on files _and_ directories which denies access to the
new created directories...
Any ideas?
Ralf
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Jay Flory
2007-Apr-18 19:34 UTC
[Samba] Re: file permissions with inherit permission + ACL's
"Ralf Gross" <Ralf-Lists@ralfgross.de> wrote in message news:20070418154511.GA26699@p15145560.pureserver.info...> Hi, > > I have a share (testshare) where different unix groups (testgroup1, > testgroup2) should have access to. But I want that new files are only > created with 660 permissions. > > Here are the ACL's of testshare: > > # file: testshare > # owner: ralfgro > # group: ve > user::rwx > group::rwx > group:testgroup1:rwx > group:testgroup2:rwx > mask::rwx > other::--- > default:user::rwx > default:group::--- > default:group:testgroup1:rwx > default:group:testgroup2:rwx > default:mask::rwx > default:other::--- > > I created a new directory and a new file in this share. > > drwxrws---+ 2 ralfgro ve 6 2007-04-18 17:28 testdir > -rwxrwx---+ 1 ralfgro ve 0 2007-04-18 17:28 testfile.txt > > > # file: testdir > # owner: ralfgro > # group: ve > user::rwx > group::--- > group:testgroup1:rwx > group:testgroup2:rwx > mask::rwx > other::--- > default:user::rwx > default:group::--- > default:group:testgroup1:rwx > default:group:testgroup2:rwx > default:mask::rwx > default:other::--- > > The permissions of this new directory are fine. But new files should be > created with 660 permissions, not 770. > > # file: testfile.txt > # owner: ralfgro > # group: ve > user::rwx > group::--- > group:testgroup1:rwx > group:testgroup2:rwx > mask::rwx > other::--- > > > > This is the relevant part of smb.conf: > > [testshare] > force create mode = 0660 > create mask = 0660 > force directory mode = 2770 > directory security mask = 2770 > force directory security mode = 0000 > directory mask = 2770 > force security mode = 0000 > security mask = 0770 > inherit acls = yes > inherit permissions = yes > map archive = no > map system = no > ... > > Some of the options might be needless now, but I needed them as I > used 'force group = ...' instead of 'inherit permissions'. > > > I already played with the default mask ACL, but then I always ended with > no > executable bit on files _and_ directories which denies access to the new > created directories... > > Any ideas? > > Ralf > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >Ralf, What would happen if you removed the default entries from your directory ACLs? It looks to me like the default ACLs are being applied from the directory to the newly created file. I believe that POSIX ACLs do this by design. Thanks Jay