samba - Aug 2009 - 'inherit owner' doesn't play nice with 'force directory mode'

Hello
I am trying to create a 'dropbox' share, using the sticky bit and
'inherit owner'.

By themselves they work, but when a directory is created in this
share, its permissions are not quite what I need.
Therefore, I try to use 'force directory mode' or 'inherit
permissions'.
However, whenever I do that, the owner on the newly-created directory
is no longer correct w/regard to 'inherit owner'.

Is this correct behavior, or a bug?

Here are details:

The directory I'm sharing:
   drwsrwsr-t  2 nobody  sambaguest   512 Aug 17 22:18 myshare

My smb.config (well, the relevant part):

# ... snip
  guest account = sambaguest
# ... snip
[myshare]
 comment = my share
 path = /path/to/myshare
 public = yes
 read only = no
 writable = yes
 browseable = yes
 printable = no
 inherit owner = yes
 #inherit permissions = yes
 #directory mode = 3770
 #force directory mode = 3770

As it is written above, when I create a directory from a windows box
it looks like:

   drwxr-xr-x  2 nobody  sambaguest  512 Aug 17 22:19 New Folder

Correct ownership but I want group write and the sticky bit to be set,
as in the parent directory.
So I uncomment 'inherit permissions', create another directory, and get:

   drwxr-xr-x  2 nobody  sambaguest  512 Aug 17 22:26 New Folder (2)

No change. Anyone know why inherit permissions would have no effect here?
I would expect the sticky bit, sgid, and the group-write of the parent
directory to apply to the new directory.

So I comment 'inherit permissions' back out, and instead try the pair
of lines with 'directory mode' and 'force directory mode'.
Then a newly created dir looks like:

   drwxrwsr-t  2 sambaguest  sambaguest  512 Aug 17 22:32 New Folder (3)

ARG! Perfect permissions, but the user is wrong, which lets people
modify (rename, delete, etc) the directory. Normally, the sticky bit
would prevent this since the owner would be 'nobody'. But now the
owner is 'sambaguest', so users can wreak havoc on these newly created
dirs...

Can anybody explain to me what I'm missing?
I have researched this a bit and tried various things, but nothing has
worked so far...

This is Samba 3.3.6 on FreeBSD 7.2-RELEASE

Thanks,
John

On Tue, Aug 18, 2009 at 8:48 AM, jw<jwdevel at gmail.com>
wrote:
> Hello
> I am trying to create a 'dropbox' share, using the sticky bit and
> 'inherit owner'.
>
> By themselves they work, but when a directory is created in this
> share, its permissions are not quite what I need.
> Therefore, I try to use 'force directory mode' or 'inherit
permissions'.
> However, whenever I do that, the owner on the newly-created directory
> is no longer correct w/regard to 'inherit owner'.
>
> Is this correct behavior, or a bug?
>
> Here are details:
>
> The directory I'm sharing:
> ? drwsrwsr-t ?2 nobody ?sambaguest ? 512 Aug 17 22:18 myshare
>
> My smb.config (well, the relevant part):
>
> # ... snip
> ?guest account = sambaguest
> # ... snip
> [myshare]
> ?comment = my share
> ?path = /path/to/myshare
> ?public = yes
> ?read only = no
> ?writable = yes
> ?browseable = yes
> ?printable = no
> ?inherit owner = yes
> ?#inherit permissions = yes
> ?#directory mode = 3770
> ?#force directory mode = 3770
>
> As it is written above, when I create a directory from a windows box
> it looks like:
>
> ? drwxr-xr-x ?2 nobody ?sambaguest ?512 Aug 17 22:19 New Folder
>
> Correct ownership but I want group write and the sticky bit to be set,
> as in the parent directory.
> So I uncomment 'inherit permissions', create another directory, and
get:
>
> ? drwxr-xr-x ?2 nobody ?sambaguest ?512 Aug 17 22:26 New Folder (2)
>
> No change. Anyone know why inherit permissions would have no effect here?
> I would expect the sticky bit, sgid, and the group-write of the parent
> directory to apply to the new directory.
>
> So I comment 'inherit permissions' back out, and instead try the
pair
> of lines with 'directory mode' and 'force directory mode'.
> Then a newly created dir looks like:
>
> ? drwxrwsr-t ?2 sambaguest ?sambaguest ?512 Aug 17 22:32 New Folder (3)
>
> ARG! Perfect permissions, but the user is wrong, which lets people
> modify (rename, delete, etc) the directory. Normally, the sticky bit
> would prevent this since the owner would be 'nobody'. But now the
> owner is 'sambaguest', so users can wreak havoc on these newly
created
> dirs...
>
> Can anybody explain to me what I'm missing?
> I have researched this a bit and tried various things, but nothing has
> worked so far...
>
> This is Samba 3.3.6 on FreeBSD 7.2-RELEASE
>
> Thanks,
> John
> --
force user = nobody
maybe this could help you?

On Mon, Aug 17, 2009 at 10:48:04PM -0700, jw wrote:
> Hello
> I am trying to create a 'dropbox' share, using the sticky bit and
> 'inherit owner'.
> 
> By themselves they work, but when a directory is created in this
> share, its permissions are not quite what I need.
> Therefore, I try to use 'force directory mode' or 'inherit
permissions'.
> However, whenever I do that, the owner on the newly-created directory
> is no longer correct w/regard to 'inherit owner'.
> 
> Is this correct behavior, or a bug?
> 
> Here are details:
> 
> The directory I'm sharing:
>    drwsrwsr-t  2 nobody  sambaguest   512 Aug 17 22:18 myshare
> 
> My smb.config (well, the relevant part):
> 
> # ... snip
>   guest account = sambaguest
> # ... snip
> [myshare]
>  comment = my share
>  path = /path/to/myshare
>  public = yes
>  read only = no
>  writable = yes
>  browseable = yes
>  printable = no
>  inherit owner = yes
>  #inherit permissions = yes
>  #directory mode = 3770
>  #force directory mode = 3770
> 
> As it is written above, when I create a directory from a windows box
> it looks like:
> 
>    drwxr-xr-x  2 nobody  sambaguest  512 Aug 17 22:19 New Folder
> 
> Correct ownership but I want group write and the sticky bit to be set,
> as in the parent directory.
To allow these to apply to the new directory, set :

directory mask = 0775

The reason you're not getting 775 perms on the new directory
is that the default directory mask is 0755, which masks out
the write permission for the group.

Just setting inherit owner, and directory mask = 0775
should be enough.

Jeremy.

On Dienstag, 18. August 2009 wrote jw:
> Hello
> I am trying to create a 'dropbox' share, using the sticky bit and
> 'inherit owner'.
>
> By themselves they work, but when a directory is created in this
> share, its permissions are not quite what I need.
> Therefore, I try to use 'force directory mode' or 'inherit
> permissions'. However, whenever I do that, the owner on the
> newly-created directory is no longer correct w/regard to 'inherit
> owner'.
>
> Is this correct behavior, or a bug?
You should try posix acls. Read the man pages:
getfacl
setfacl
acl

or search this list archiv. Look for "default acl".

...
> Thanks,
> John


-- 

Gruss
	Harry Jede