Hi.
I'm using Samba on FreeBSD to host various file servers. Recently I've
noticed one weird thing: samba needs w flag on file for being able to
delete it, plus, when 'force user' is used, samba needs additional flags
for group owning the file. Not sure if it was there all the time and
it's just me, or may be this is an intended behaviour (I hope not), so,
anyway I'll describe it. I'm using ZFS and NFSv4 ACLs on all of my
servers, along with libsunacl library and zfsacl vfs object. It's
reproducible on all recent 4.1.x, 4.2.x and 4.3.x versions.
Suppose I have a share:
[test]
comment = Test Directory
path = /var/www/test
guest ok = no
browseable = yes
writable = yes
printable = no
create mask = 664
directory mask = 775
map hidden = no
map archive = no
map system = no
vfs objects = recycle zfsacl
nfs4:acedup = merge
nfs4:chown = yes
nfs4:mode = special
zfsacl:acesort = dontcare
Permissions for a /var/www/test:
# getfacl /var/www/test
# file: /var/www/test
# owner: root
# group: wheel
group:domain users:rwxpDdaARWcCos:fd----:allow
owner@:rwxpDdaARWcCos:fd----:allow
group@:r-x---a-R-c--s:------:allow
everyone@:r-x---a-R-c--s:------:allow
Suppose I put file on this share, and mount it via SMB on same server on
/mnt/smb2 (using user tatjana), thus I should be able to access the file
locally and via SMB. lets' put an 444 file php.ini into it.
So:
# getfacl /var/www/test/php.ini
# file: /var/www/test/php.ini
# owner: tatjana
# group: wheel
owner@:r-----aARWcCos:------:allow
group@:r-----a-R-c--s:------:allow
everyone@:r-----a-R-c--s:------:allow
php.ini hasn't w set, but the parent directory has both dD, should be
sufficient having only D to delete files. But samba cannot, until the w
flag is set:
# rm /mnt/smb2/php.ini
rm: /mnt/smb2/php.ini: Permission denied
Okay, let's put a dD on file:
# setfacl -m user:tatjana:rdDaARWcCos::allow /var/www/test/php.ini
# getfacl /var/www/test/php.ini
# file: /var/www/test/php.ini
# owner: tatjana
# group: wheel
user:tatjana:r---DdaARWcCos:------:allow
owner@:r-----aARWcCos:------:allow
group@:r-----a-R-c--s:------:allow
everyone@:r-----a-R-c--s:------:allow
# rm /mnt/smb2/php.ini
rm: /mnt/smb2/php.ini: Permission denied
Let's put a w on a file (this can be done via SMB either):
# chmod 644 /var/www/test/php.ini
# getfacl /var/www/test/php.ini
# file: /var/www/test/php.ini
# owner: tatjana
# group: wheel
owner@:rw-p--aARWcCos:------:allow
group@:r-----a-R-c--s:------:allow
everyone@:r-----a-R-c--s:------:allow
# rm /var/www/test/php.ini
# (success)
In the same time this user - tatjana - is able to delete file locally:
# su - tatjana
[tatjana at gw0:~]> getfacl /var/www/test/php.ini
# file: /var/www/test/php.ini
# owner: tatjana
# group: wheel
owner@:r-----aARWcCos:------:allow
group@:r-----a-R-c--s:------:allow
everyone@:r-----a-R-c--s:------:allow
[tatjana at gw0:~]> rm /var/www/test/php.ini
[tatjana at gw0:~]>
So, do I misunderstand something ?
Now, about 'force user':
Suppose I have a share:
[www]
comment = web directory
path = /var/www
guest ok = no
browseable = yes
writable = yes
printable = no
create mask = 664
directory mask = 775
force user = root
map hidden = no
map archive = no
map system = no
wide links = yes
vfs objects = recycle zfsacl
nfs4:acedup = merge
nfs4:chown = yes
nfs4:mode = special
zfsacl:acesort = dontcare
Suppose it's mounted on /mnt/smb under same user. Notice the 'force
user' is set, and it's root.
Now lets put a file in 755 directory, owned by root:
# getfacl /var/www/asterisk
# file: /var/www/asterisk
# owner: root
# group: wheel
owner@:rwxp--aARWcCos:------:allow
group@:r-x---a-R-c--s:------:allow
everyone@:r-x---a-R-c--s:------:allow
# ls -ld /mnt/smb/asterisk
drwxr-xr-x 1 root wheel 16384 5 фев 2014 /mnt/smb/asterisk
(same directory)
[root at gw0:/mnt/smb]# touch /mnt/smb/asterisk/1
touch: /mnt/smb/asterisk/1: Permission denied
Of course root is able to create files in it locally:
# touch /var/www/asterisk/1
# rm /var/www/asterisk/1
This is because for some reason group+w is needed:
# chmod 775 /var/www/asterisk
# touch /mnt/smb/asterisk/1
# rm /mnt/smb/asterisk/1
Again, do I misunderstand something ?
Thanks.
Eugene.