samba - Dec 2018 - Samba-created files with POSIX ACLs gaining execute bit

Hi all,

I have a Samba share set up using POSIX ACLs as the permissions backend.  I am
seeing an issue where files created via the Samba get execute permissions
whereas files created via shell do not.  Here’s my demonstration using “share2”
as the root of my share:

[root at samba srv]# ls -l
total 0
drwxrwx---+ 2 root root 65 Dec 17 18:40 share2
[root at samba srv]# getfacl share2/
# file: share2/
# owner: root
# group: root
user::rwx
group::rwx
group:share2_ro:r-x
group:share2_rw:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx		#effective:rw-
default:group:share2_ro:r-x	#effective:r--
default:group:share2_rw:rwx	#effective:rw-
default:mask::rw-
default:other::---

[root at samba srv]# ls -l share2/
total 0
-rw-rw----+ 1 christian users 0 Dec 17 18:39 file_via_shell
-rwxrwx---+ 1 christian root  0 Dec 17 18:40 file_via_smb
[root at samba srv]# getfacl share2/*
# file: share2/file_via_shell
# owner: christian
# group: users
user::rw-
group::rwx			#effective:rw-
group:share2_ro:r-x		#effective:r--
group:share2_rw:rwx		#effective:rw-
mask::rw-
other::---

# file: share2/file_via_smb
# owner: christian
# group: root
user::rwx
user:christian:rwx
group::rw-
group:root:rw-
group:share2_ro:r--
group:share2_rw:rw-
mask::rwx
other::—

This bug appears to show something similar:
https://bugzilla.samba.org/show_bug.cgi?id=10792
<https://bugzilla.samba.org/show_bug.cgi?id=10792>

These are the additions to my SMB.conf that may be relevant.  I have tried
playing with the “create mask” and “force create mode” parameters without any
luck.  As you can see below I also disabled the DOS - POSIX attribute mappings
that use the execute bits to store attributes.

    read only = no
    unix extensions = no
    force group = root
    vfs objects = catia fruit streams_xattr
    fruit:aapl
    fruit:nfs_aces = no
    dos filemode = yes
    inherit acls = yes
    map archive = no
    map hidden = no
    map readonly = no

All things considered my end goal is go:
1.)  Have all directories 770
2.)  Have all files 660
3.)  Provide additional groups access to files with 660-equivalent ACLs
4.)  Provide additional groups access to files with 770-equivalent ACLs
5.)  Inherit the above settings to files and directories from the share’s root
directory

Thanks in advance for any help!

Christian

On Mon, 2018-12-17 at 18:56 -0800, christian russell via samba
wrote:
> Hi all,
> 
> I have a Samba share set up using POSIX ACLs as the permissions backend.  I
am seeing an issue where files created via the Samba get execute permissions
whereas files created via shell do not. 
Samba maps the windows execute permission to the posix one, which is
why this happens.

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

I figured something as much but all the docs I found pointed to the archive,
hidden, and readonly attributes touching the execute bits (see here, for
example:
https://www.samba.org/samba/docs/using_samba/ch08.html#samba2-CHP-8-FIG-2
<https://www.samba.org/samba/docs/using_samba/ch08.html#samba2-CHP-8-FIG-2>).
That’s why I disabled those mappings in my smb.conf.  Granted the docs I found
were older — is this handled differently nowadays?

In any event is there some way to prevent this behavior so I get sane
permissions within the *nix environment?

Thanks very much for your response.

Christian
> On Dec 17, 2018, at 7:02 PM, Andrew Bartlett <abartlet at samba.org>
wrote:
> 
> On Mon, 2018-12-17 at 18:56 -0800, christian russell via samba wrote:
>> Hi all,
>> 
>> I have a Samba share set up using POSIX ACLs as the permissions
backend.  I am seeing an issue where files created via the Samba get execute
permissions whereas files created via shell do not.
> 
> Samba maps the windows execute permission to the posix one, which is
> why this happens.
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team         https://samba.org
> Samba Development and Support, Catalyst IT   
> https://catalyst.net.nz/services/samba
> 
> 
> 
>

Hai, 

The docs shown are a bit old, yes, i suggest start reading these. 
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs 

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs 

Look at the smb.conf man and search for acl ( or exec ) 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> christian russell via samba
> Verzonden: dinsdag 18 december 2018 4:59
> Aan: Andrew Bartlett
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba-created files with POSIX ACLs 
> gaining execute bit
> 
> I figured something as much but all the docs I found pointed 
> to the archive, hidden, and readonly attributes touching the 
> execute bits (see here, for example: 
> https://www.samba.org/samba/docs/using_samba/ch08.html#samba2-
> CHP-8-FIG-2 
> <https://www.samba.org/samba/docs/using_samba/ch08.html#samba2
> -CHP-8-FIG-2>).  That’s why I disabled those mappings in my 
> smb.conf.  Granted the docs I found were older — is this 
> handled differently nowadays?
> 
> In any event is there some way to prevent this behavior so I 
> get sane permissions within the *nix environment?
> 
> Thanks very much for your response.
> 
> Christian
> 
> > On Dec 17, 2018, at 7:02 PM, Andrew Bartlett 
> <abartlet at samba.org> wrote:
> > 
> > On Mon, 2018-12-17 at 18:56 -0800, christian russell via 
> samba wrote:
> >> Hi all,
> >> 
> >> I have a Samba share set up using POSIX ACLs as the 
> permissions backend.  I am seeing an issue where files 
> created via the Samba get execute permissions whereas files 
> created via shell do not.  
> > 
> > Samba maps the windows execute permission to the posix one, which is
> > why this happens.
> > 
> > Andrew Bartlett
> > 
> > -- 
> > Andrew Bartlett
> > https://samba.org/~abartlet/
> > Authentication Developer, Samba Team         https://samba.org
> > Samba Development and Support, Catalyst IT   
> > https://catalyst.net.nz/services/samba
> > 
> > 
> > 
> > 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>