David:
The following is written for those who have little or no knowledge of
Linux's file and directory permission settings and need to understand some
of the mask related parameters in Samba's smb.conf file. It may or may not
be suited for your knowledge level. I hope at least helps a little.
---------------------------------------------------
==== File and Directory Permission Mask Values
===---------------------------------------------------
Q> What does "create mask = 777" in smb.conf indicate?
A> I will explain what the numbers indicate first, they serve the same
function in all of the file related mask and mode parameters. The numbers are
"bit masks" for the file or directory access privileges.
For now in this text, when I refer to a "file" I mean a file or
directory, they are treated the same here.
-=- How Linux File Permissions are Handled -=-
----------------------------------------------
Each file stored in a standard Linux volume has 3 sets of privilege settings,
one set for the file's owner, one set for the file's group members and
one set for everyone else (other). For each of these three classes of users
there are 3 options, read, write, and execute.
Looking at a Samba mask parameter value as a 3 digit number, which is all we
need to deal with in this discussion, each digit represents one of the 3 class
of users. (Note: a value of 0740 is the same as 740; any leading zeros can be
omitted.) The value of each digit can be between 0 and 7 so we call these octal
digits.
The 3 classes of users represented by these 3 digits are, owner, group, and
other.
- The owner is the Linux user who currently the file.
- The group is the Linux group to which the file belongs. If a user belongs to
the same group as the file, that user inherits those permissions.
- Other is everyone but the owner and group members.
For example, let's look at a mask of 740. It can be broken down as the
following:
- The first digit (7) indicates the file's owner's options.
- The second digit (4) indicates the file's group member's options.
- The third digit (0) indicates the file's options for everyone else.
-=- How the Permission Settings are Arranged -=-
------------------------------------------------
As mentioned earlier there are 3 different permission settings, represented by a
single octet. This is where the 'bit mask' comes in. If you are
familiar with binary notation then this will be easy to calculate. The settings
are represented by bit positions of a 3 bit cluster.
2
|
4 <--- ||| ---> 1
111 <------------ Binary Number 111 (3 digits)
Read <--- ||| ---> Execute
|
Write
In this "cheesy" ASCII diagram the binary number 111 is shown in the
middle. Above it shows the decimal value of each digit, and below is what
permission is granted by each of the three digits. A 1 assigns the permission.
Therefore, in binary notation Read access has a decimal value of 4 (100), Write
has a decimal value of 2 (010), and Execute has a value of 1 (001).
Now to derive a single digit in our permissions mask we convert the binary value
to a single digit decimal value. Therefore, full permission (read, write and
execute) has a decimal value of 7. Some other examples:
Permission Binary Decimal
---------- ------ -------
Read/Write 110 6
Read Only 100 4
Read/Execute 101 5
Now that we know that we can use these digits to assign permissions for the
file's owner, group, and others as explained above.
For our example above, permissions mode 740 would represent the file's owner
having Read/Write/Execute permission, the group members have Read only
permission, and everyone else has no access permissions at all to the file.
-=- Viewing a File's or Directory's Permission Modes -=-
--------------------------------------------------------
These rights are seen when you get a directory listing with the 'ls -l'
shell command. You will see the rights listed in the 1st column, in a letter
notation. For example, a file will appear as:
-rw-r--r-- 1 root staff 8346 Mar 10 17:43 smb.conf
Ignoring the 1st character '-' for a moment,
- characters 2-4 represent the file owner's permission, "rw-"
(read/write)
- characters 5-7 represent the file group members permissions, "r--"
(read)
- characters 8-10 represent everyone else's permissions, "r--"
(read)
The last of the 3 symbols, which is always '-' in this example, will be
'x' if the execute right is assigned.
Each of the three characters in a user class grouping corresponds to a bit
position as shown earlier. Instead of it showing a 1 or 0 it uses characters to
make it more readable. 'r' for Read, 'w' for Write, 'x'
for eXecute, and '-' for not set.
That 1st character in the 10 character permissions indicator is used by
Unix/Linux to specify additional attributes to the file, such as 'd' if
it is a directory or 'l' if it is a link. The usage is seldom assigned
by the average user and beyond the scope of this text.
-=- Samba smb.conf mask parameter examples -=-
----------------------------------------------
Now with that long explanation out of the way we can apply that knowledge to the
create mask and directory mode parameters.
-=- create mask -=-
-------------------
Note: This is a synonym for create mode.
This setting tells samba what permissions to mask against the DOS/Windows
assigned permissions for a new file when it is created from a Windows/DOS
client. This means that if a permission isn't indicated in this create mask
parameter, then it won't be assigned to the file when created. This applies
to files only, not directories. There are many factors that may affect this
parameter so for detailed information see the man or info pages for smb.conf.
-=- directory mask -=-
----------------------
Note: This is a synonym for directory mode.
This really the same concept as create mask but it applies to directories not
files. Just remember that if you want any of the 3 groups (owner, group, other)
to be able to at least access a directory, set the read AND execute permissions.
There are many factors that may affect this parameter so for detailed
information see the man or info pages for smb.conf.
That should be enough information to get the newcomer on their way to using
directory and file masks. For more information see the man or info pages for,
ls, chmod, and smb.conf.
For errors or blatant omissions email scott@sjm.net
Scott Millhisler
SJM Computer Consulting - Perry, Michigan
---------- Original Message ----------------------------------
From: "David Jackson" <DJackson@floridaforms.com>
Reply-To: DJackson@floridaforms.com
Date: Mon, 10 Mar 2003 21:06:20 -0500
>What do the following lines mean in the smb.conf file:
>create mask = 0777
>directory mode = 0775
>I would like to know where i can learn more about what those numbers about
>signify.
>Also where can i find archives for this list so I don't keep bringing up
old
>topics?
>
>Thanks
> ........