Hi everybody,
I know this has been discussed ad naseum, but I can't find an answer to my
question precisely.
My version of samba is 4.2.10.
Here's my question. I have POSIX ACLs set on a directory like this:
# file: .
# owner: root
# group: admin
# flags: -s-
user::rwx
user:apache:rwx
group::rwx
group:admin:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:apache:rwx
default:group::rwx
default:group:admin:rwx
default:mask::rwx
default:other::---
When I create a file in that directory with the touch command on linux, I
get:
-rw-rw----+ 1 my_user_name admin 0 Aug 12 11:17 new
... which is what I want -- no exec bit set anywhere on the file itself
(though I do want it on a directory).
But when I create it through Samba, I get:
-rw-rwx---+ 1 my_user_name admin 0 Aug 12 11:07 new
I know that the ACL mask defines the maximum permissions and so since touch
uses the 0666 create mode, the exec bit is not set. So far so good.
Now to samba. The share has these controls:
...
create mask = 0664
...
When stracing the samba process, I see that 0664 is specified in the open
system call, but following that, setxattr is called (not sure by samba or
some kernel process), which must be setting the exec bit on the group?
...
96012 open("new", O_RDWR|O_CREAT|O_EXCL, 0664) = 40
96012 setxattr("New Text Document.txt",
"system.posix_acl_access",
LONG_HEX_STRING_HERE, 52, 0) = 0
...
My question finally is: how do I make sure the exec bit on the group is *not
*set?
Thanks,
Sergei
It looks like this is a long known issue: https://bugzilla.samba.org/show_bug.cgi?id=10792 On Fri, Aug 12, 2016 at 10:30 AM, Sergei Gerasenko <gerases at gmail.com> wrote:> Hi everybody, > > I know this has been discussed ad naseum, but I can't find an answer to my > question precisely. > > My version of samba is 4.2.10. > > Here's my question. I have POSIX ACLs set on a directory like this: > > # file: . > # owner: root > # group: admin > # flags: -s- > user::rwx > user:apache:rwx > group::rwx > group:admin:rwx > mask::rwx > other::r-x > default:user::rwx > default:user:apache:rwx > default:group::rwx > default:group:admin:rwx > default:mask::rwx > default:other::--- > > When I create a file in that directory with the touch command on linux, I > get: > > -rw-rw----+ 1 my_user_name admin 0 Aug 12 11:17 new > > ... which is what I want -- no exec bit set anywhere on the file itself > (though I do want it on a directory). > > But when I create it through Samba, I get: > > -rw-rwx---+ 1 my_user_name admin 0 Aug 12 11:07 new > > I know that the ACL mask defines the maximum permissions and so since > touch uses the 0666 create mode, the exec bit is not set. So far so good. > > Now to samba. The share has these controls: > > ... > create mask = 0664 > ... > > When stracing the samba process, I see that 0664 is specified in the open > system call, but following that, setxattr is called (not sure by samba or > some kernel process), which must be setting the exec bit on the group? > > ... > 96012 open("new", O_RDWR|O_CREAT|O_EXCL, 0664) = 40 > 96012 setxattr("New Text Document.txt", "system.posix_acl_access", > LONG_HEX_STRING_HERE, 52, 0) = 0 > ... > > > My question finally is: how do I make sure the exec bit on the group is *not > *set? > > Thanks, > Sergei > > >
On Fri, Aug 12, 2016 at 11:20:47AM -0500, Sergei Gerasenko via samba wrote:> It looks like this is a long known issue: > > https://bugzilla.samba.org/show_bug.cgi?id=10792If by long known you mean "as designed". As Samba supports ACL setting on files/directories we don't restrict what happens to them after creation. For creation you can set "create mask" and "directory mask" but the client can change it afterwards.