christian russell
2018-Dec-18 02:56 UTC
[Samba] Samba-created files with POSIX ACLs gaining execute bit
Hi all, I have a Samba share set up using POSIX ACLs as the permissions backend. I am seeing an issue where files created via the Samba get execute permissions whereas files created via shell do not. Here’s my demonstration using “share2” as the root of my share: [root at samba srv]# ls -l total 0 drwxrwx---+ 2 root root 65 Dec 17 18:40 share2 [root at samba srv]# getfacl share2/ # file: share2/ # owner: root # group: root user::rwx group::rwx group:share2_ro:r-x group:share2_rw:rwx mask::rwx other::--- default:user::rwx default:group::rwx #effective:rw- default:group:share2_ro:r-x #effective:r-- default:group:share2_rw:rwx #effective:rw- default:mask::rw- default:other::--- [root at samba srv]# ls -l share2/ total 0 -rw-rw----+ 1 christian users 0 Dec 17 18:39 file_via_shell -rwxrwx---+ 1 christian root 0 Dec 17 18:40 file_via_smb [root at samba srv]# getfacl share2/* # file: share2/file_via_shell # owner: christian # group: users user::rw- group::rwx #effective:rw- group:share2_ro:r-x #effective:r-- group:share2_rw:rwx #effective:rw- mask::rw- other::--- # file: share2/file_via_smb # owner: christian # group: root user::rwx user:christian:rwx group::rw- group:root:rw- group:share2_ro:r-- group:share2_rw:rw- mask::rwx other::— This bug appears to show something similar: https://bugzilla.samba.org/show_bug.cgi?id=10792 <https://bugzilla.samba.org/show_bug.cgi?id=10792> These are the additions to my SMB.conf that may be relevant. I have tried playing with the “create mask” and “force create mode” parameters without any luck. As you can see below I also disabled the DOS - POSIX attribute mappings that use the execute bits to store attributes. read only = no unix extensions = no force group = root vfs objects = catia fruit streams_xattr fruit:aapl fruit:nfs_aces = no dos filemode = yes inherit acls = yes map archive = no map hidden = no map readonly = no All things considered my end goal is go: 1.) Have all directories 770 2.) Have all files 660 3.) Provide additional groups access to files with 660-equivalent ACLs 4.) Provide additional groups access to files with 770-equivalent ACLs 5.) Inherit the above settings to files and directories from the share’s root directory Thanks in advance for any help! Christian
Andrew Bartlett
2018-Dec-18 03:02 UTC
[Samba] Samba-created files with POSIX ACLs gaining execute bit
On Mon, 2018-12-17 at 18:56 -0800, christian russell via samba wrote:> Hi all, > > I have a Samba share set up using POSIX ACLs as the permissions backend. I am seeing an issue where files created via the Samba get execute permissions whereas files created via shell do not.Samba maps the windows execute permission to the posix one, which is why this happens. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
christian russell
2018-Dec-18 03:58 UTC
[Samba] Samba-created files with POSIX ACLs gaining execute bit
I figured something as much but all the docs I found pointed to the archive, hidden, and readonly attributes touching the execute bits (see here, for example: https://www.samba.org/samba/docs/using_samba/ch08.html#samba2-CHP-8-FIG-2 <https://www.samba.org/samba/docs/using_samba/ch08.html#samba2-CHP-8-FIG-2>). That’s why I disabled those mappings in my smb.conf. Granted the docs I found were older — is this handled differently nowadays? In any event is there some way to prevent this behavior so I get sane permissions within the *nix environment? Thanks very much for your response. Christian> On Dec 17, 2018, at 7:02 PM, Andrew Bartlett <abartlet at samba.org> wrote: > > On Mon, 2018-12-17 at 18:56 -0800, christian russell via samba wrote: >> Hi all, >> >> I have a Samba share set up using POSIX ACLs as the permissions backend. I am seeing an issue where files created via the Samba get execute permissions whereas files created via shell do not. > > Samba maps the windows execute permission to the posix one, which is > why this happens. > > Andrew Bartlett > > -- > Andrew Bartlett > https://samba.org/~abartlet/ > Authentication Developer, Samba Team https://samba.org > Samba Development and Support, Catalyst IT > https://catalyst.net.nz/services/samba > > > >
L.P.H. van Belle
2018-Dec-18 07:47 UTC
[Samba] Samba-created files with POSIX ACLs gaining execute bit
Hai, The docs shown are a bit old, yes, i suggest start reading these. https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs Look at the smb.conf man and search for acl ( or exec ) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > christian russell via samba > Verzonden: dinsdag 18 december 2018 4:59 > Aan: Andrew Bartlett > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba-created files with POSIX ACLs > gaining execute bit > > I figured something as much but all the docs I found pointed > to the archive, hidden, and readonly attributes touching the > execute bits (see here, for example: > https://www.samba.org/samba/docs/using_samba/ch08.html#samba2- > CHP-8-FIG-2 > <https://www.samba.org/samba/docs/using_samba/ch08.html#samba2 > -CHP-8-FIG-2>). That’s why I disabled those mappings in my > smb.conf. Granted the docs I found were older — is this > handled differently nowadays? > > In any event is there some way to prevent this behavior so I > get sane permissions within the *nix environment? > > Thanks very much for your response. > > Christian > > > On Dec 17, 2018, at 7:02 PM, Andrew Bartlett > <abartlet at samba.org> wrote: > > > > On Mon, 2018-12-17 at 18:56 -0800, christian russell via > samba wrote: > >> Hi all, > >> > >> I have a Samba share set up using POSIX ACLs as the > permissions backend. I am seeing an issue where files > created via the Samba get execute permissions whereas files > created via shell do not. > > > > Samba maps the windows execute permission to the posix one, which is > > why this happens. > > > > Andrew Bartlett > > > > -- > > Andrew Bartlett > > https://samba.org/~abartlet/ > > Authentication Developer, Samba Team https://samba.org > > Samba Development and Support, Catalyst IT > > https://catalyst.net.nz/services/samba > > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Reasonably Related Threads
- Samba-created files with POSIX ACLs gaining execute bit
- Samba-created files with POSIX ACLs gaining execute bit
- Samba-created files with POSIX ACLs gaining execute bit
- Netbios : Network Browsing on multiple subnets
- How to Samba share with mixed Active Directory 'Classic' authentication