I've been working at this for a few days now and I can't figure out what
is broken. Google turns up similar issues from years back, but I hope
this is a bug resurfacing. ACL entries are being deleted when files are
saved. Here is an example:
username: user1
group membership: Domain Users
directory: /share/test
file: test.xls
getfacl /share
# file: share
# owner: DOMAIN+backupuser
# group: DOMAIN+domain\040users
user::rwx
user:DOMAIN+backupuser:rwx
group::rwx
group:DOMAIN+domain\040users:rwx
mask::rwx
other::rwx
getfacl /share/test
# file: share/test
# owner: DOMAIN+backupuser
# group: DOMAIN+domain\040admins
user::rwx
group::rwx
group:DOMAIN+domain\040users:rwx
group:DOMAIN+domain\040admins:rwx
mask::rwx
other::rwx
getfacl /share/test/test.xls
# file: test.xls
# owner: DOMAIN+backupuser
# group: DOMAIN+domain\040admins
user::rwx
user:DOMAIN+backupuser:rwx
group::rwx
group:DOMAIN+domain\040users:rwx
group:DOMAIN+domain\040admins:rwx
mask::rwx
other::rwx
If user1 opens the file in excel, makes a change and saves it, then the
facl for test.xls becomes:
# file: test.xls
# owner: DOMAIN+user1
# group: DOMAIN+domain\040users
user::rwx
user:DOMAIN+backupuser:rwx
group::rwx
group:DOMAIN+domain\040admins:rwx
mask::rwx
other::rwx
The entry for Domain Users was deleted. Note that I have the default
group other set to rwx as a work around because it causes users to be
locked out of their files. If you want to see something really strange,
you should see what happens if I change the file and group owner back to
what it was before user1 modified it and let user1 save it again. But
for now, I need to know how to fix this. Anyone have any ideas? My
config from 3.0.22 didn't change, but I've tried a variety of things to
fix this. I've got these all set:
[global]
store dos attributes = Yes
dos filemode = Yes
dos filetime resolution = Yes
acl compatibility = yes
ea support = Yes
map acl inherit = yes
inherit permissions = Yes
inherit acls = Yes
[test]
comment = test drive
path = /share/test
read only = No
create mask = 0777
directory mask = 0777
guest ok = Yes
map readonly = permissions
nt acl support = yes
inherit acls = yes
Any ideas would be greatly appreciated.
Thanks,
Aaron Kincer
Carlos Eduardo Pedroza Santiviago
2007-May-07 14:49 UTC
[Samba] 3.0.24 and disappearing ACL entries
Hi, On 5/1/07, Aaron Kincer <kincera@gmail.com> wrote:> I've been working at this for a few days now and I can't figure out what > is broken. Google turns up similar issues from years back, but I hope > this is a bug resurfacing. ACL entries are being deleted when files are > saved. Here is an example: >Any info on this? I'm having similar problems, when a user with the M$ Suite saves his files. $ getfacl * # file: teste.doc # owner: cadu # group: XXXEMP user::rwx group::rwx group:XXXAED:rwx group:XXXEXT:r-x group:XXXGES:rwx mask::rwx other::--- # file: teste.ods # owner: cadu # group: XXXEMP user::rwx group::rwx group:XXXAED:rwx group:XXXEMP:rwx group:XXXEXT:r-x group:XXXGES:rwx mask::rwx other::--- After saving file "teste.doc", it removed the ACL for the EMP group. That didn't happen when i saved "teste.ods", using OpenOffice suite. -- Carlos Eduardo Pedroza Santiviago
Interaction with the Standard Samba “create mask” Parameters
There are four parameters that control interaction with the standard Samba
create mask parameters:
*
security mask
*
force security mode
*
directory security mask
*
force directory security mode
When a user clicks on OK to apply the permissions, Samba maps the given
permissions into a user/group/world r/w/x triplet set, and then checks the
changed permissions for a file against the bits set in the security mask
parameter. Any bits that were changed that are not set to 1 in this
parameter are left alone in the file permissions.
Essentially, zero bits in the security mask may be treated as a set of bits
the user is not allowed to change, and one bits are those the user is
allowed to change.
If not explicitly set, this parameter defaults to the same value as the
create mask parameter. To allow a user to modify all the user/group/world
permissions on a file, set this parameter to 0777.
Next Samba checks the changed permissions for a file against the bits set in
the force security mode parameter. Any bits that were changed that
correspond to bits set to 1 in this parameter are forced to be set.
Essentially, bits set in the force security mode parameter may be treated as
a set of bits that, when modifying security on a file, the user has always
set to be on.
If not explicitly set, this parameter defaults to the same value as the
force create mode parameter. To allow a user to modify all the
user/group/world permissions on a file with no restrictions, set this
parameter to 000. The security mask and force security mode parameters are
applied to the change request in that order.
For a directory, Samba performs the same operations as described above for a
file except it uses the parameter directory security mask instead of
security mask, and force directory security mode parameter instead of force
security mode .
The directory security mask parameter by default is set to the same value as
the directory mask parameter and the force directory security mode parameter
by default is set to the same value as the force directory mode parameter.
In this way Samba enforces the permission restrictions that an administrator
can set on a Samba share, while still allowing users to modify the
permission bits within that restriction.
If you want to set up a share that allows users full control in modifying
the permission bits on their files and directories and does not force any
particular bits to be set on, then set the following parameters in the
smb.conf file in that share-specific section:
security mask = 0777
force security mode = 0
directory security mask = 0777
force directory security mode = 0
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Possibly Parallel Threads
- /usr/bin/ssh not found when rsync is executed within rsnapshot
- Point biserial correlation => Is there any specific command or could I just use cor.test?
- rsync filter rules ignored by rsnapshot
- 3.0.24 -- Office read only issue, bizarre EAs and disappearing ACLs
- Home Folder