christian russell
2018-Dec-20 03:32 UTC
[Samba] Samba-created files with POSIX ACLs gaining execute bit
Hi all, The part that I don’t understand is why the behavior is different when there are ACLs involved. Take the below example: # This share is chmod 777, [share1] path = /srv/share1 # mode is 0777, no ACLs readonly = no create mask = 0660 [share2] path = /srv/share2 # mode is 0770, ACLs readonly = no inherit acts = yes create mask = 0660 share1 acts exactly as expected — I get a 0660 permissions. [root at samba share1]# pwd && ls -l /srv/share1 total 0 -rw-rw---- 1 christian root 0 Dec 19 19:17 file share2, gets 0770 permissions only because there are ACLs applied on the file. [root at samba share2]# pwd && ls -l /srv/share2 total 0 -rwxrwx---+ 1 christian root 0 Dec 19 19:17 file I don’t understand how the execute bit is necessary to map functionality when ACLs are present and not when using traditional Unix permissions — if anything the reverse makes more sense. This bug report appears to identify exactly where in the code the phenomenon arises from: https://bugzilla.samba.org/show_bug.cgi?id=12716 <https://bugzilla.samba.org/show_bug.cgi?id=12716> If this is in fact expected behavior it would be good to document as there seems to be a decent amount of confusing resulting. Christian> On Dec 18, 2018, at 12:28 AM, L.P.H. van Belle via samba <samba at lists.samba.org> wrote: > > These are the latests.. And the Why, Andrew already explain. > Due to the mappings with windows acls. > > If the exec bit is missing, no windows programm will be allowed to start of a share. > If i download an msi file to install and put it on a share, its not allowed to execute it. > Which is exact what i want in my case. > > You might want to read > https://www.snia.org/sites/default/files/SDC/2016/presentations/smb/Jeremy_Allison_SMB3_and_Linux_A_Seamless_File_Sharing_Protocol.pdf > https://sambaxp.org/archive_data/media/05-Andreas-Gruenbacher_-_Linux_Samba_and_ACLs.pdf > > These might help you a bit in understanding that what you want is not always possible.. > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: christian russell [mailto:christian.baltini at gmail.com] >> Verzonden: dinsdag 18 december 2018 9:02 >> Aan: L.P.H. van Belle >> CC: samba at lists.samba.org >> Onderwerp: Re: [Samba] Samba-created files with POSIX ACLs >> gaining execute bit >> >> Hi Louis, >> >> Those were the docs I initially followed. I don’t see any >> mention in them as to why one would expect unusual (in Unix >> terms) execute permission values. >> >> If anybody could point me towards documentation of the >> expected permission behavior (esp. with POSIX ACLs) of modern >> Samba I would greatly appreciate it. >> >> Christian >> >>> On Dec 17, 2018, at 11:47 PM, L.P.H. van Belle via samba >> <samba at lists.samba.org> wrote: >>> >>> >>> Hai, >>> >>> The docs shown are a bit old, yes, i suggest start reading these. >>> >> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Wind >> ows_ACLs >>> >>> >> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs >>> >>> Look at the smb.conf man and search for acl ( or exec ) >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>>> christian russell via samba >>>> Verzonden: dinsdag 18 december 2018 4:59 >>>> Aan: Andrew Bartlett >>>> CC: samba at lists.samba.org >>>> Onderwerp: Re: [Samba] Samba-created files with POSIX ACLs >>>> gaining execute bit >>>> >>>> I figured something as much but all the docs I found pointed >>>> to the archive, hidden, and readonly attributes touching the >>>> execute bits (see here, for example: >>>> https://www.samba.org/samba/docs/using_samba/ch08.html#samba2- >>>> CHP-8-FIG-2 >>>> <https://www.samba.org/samba/docs/using_samba/ch08.html#samba2 >>>> -CHP-8-FIG-2>). That’s why I disabled those mappings in my >>>> smb.conf. Granted the docs I found were older — is this >>>> handled differently nowadays? >>>> >>>> In any event is there some way to prevent this behavior so I >>>> get sane permissions within the *nix environment? >>>> >>>> Thanks very much for your response. >>>> >>>> Christian >>>> >>>>> On Dec 17, 2018, at 7:02 PM, Andrew Bartlett >>>> <abartlet at samba.org> wrote: >>>>> >>>>> On Mon, 2018-12-17 at 18:56 -0800, christian russell via >>>> samba wrote: >>>>>> Hi all, >>>>>> >>>>>> I have a Samba share set up using POSIX ACLs as the >>>> permissions backend. I am seeing an issue where files >>>> created via the Samba get execute permissions whereas files >>>> created via shell do not. >>>>> >>>>> Samba maps the windows execute permission to the posix >> one, which is >>>>> why this happens. >>>>> >>>>> Andrew Bartlett >>>>> >>>>> -- >>>>> Andrew Bartlett >>>>> https://samba.org/~abartlet/ >>>>> Authentication Developer, Samba Team https://samba.org >>>>> Samba Development and Support, Catalyst IT >>>>> https://catalyst.net.nz/services/samba >>>>> >>>>> >>>>> >>>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Marco Gaiarin
2018-Dec-20 08:29 UTC
[Samba] Samba-created files with POSIX ACLs gaining execute bit
Mandi! christian russell via samba In chel di` si favelave...> The part that I don’t understand is why the behavior is different when there are ACLs involved.I'm a bit puzzled by the examples, but if you speak about POSIX ACLs, here the group permission are also a mask for all group permission ACLs. See 'mask' in the output of 'getfacl'. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
christian russell
2018-Dec-20 08:38 UTC
[Samba] Samba-created files with POSIX ACLs gaining execute bit
Hello Marco, I am speaking about POSIX ACLs, yes. When I create a file via shell I get a 660 file. When I create a file via Samba I get a 770 file. I don’t understand why they would be different. Without ACLs shell / Samba created files get consistent permissions. Christian> On Dec 20, 2018, at 12:29 AM, Marco Gaiarin via samba <samba at lists.samba.org> wrote: > > Mandi! christian russell via samba > In chel di` si favelave... > >> The part that I don’t understand is why the behavior is different when there are ACLs involved. > > I'm a bit puzzled by the examples, but if you speak about POSIX ACLs, > here the group permission are also a mask for all group permission > ACLs. > > See 'mask' in the output of 'getfacl'. > > -- > dott. Marco Gaiarin GNUPG Key ID: 240A3D66 > Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ > Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Apparently Analagous Threads
- Samba-created files with POSIX ACLs gaining execute bit
- Samba-created files with POSIX ACLs gaining execute bit
- accessing foreign AD users to NT domain
- Samba-created files with POSIX ACLs gaining execute bit
- Segmentation Fault when trying to set root samba password, IPA as a backend