samba - Dec 2018 - Samba-created files with POSIX ACLs gaining execute bit

Hai, 

The docs shown are a bit old, yes, i suggest start reading these. 
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs 

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs 

Look at the smb.conf man and search for acl ( or exec ) 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> christian russell via samba
> Verzonden: dinsdag 18 december 2018 4:59
> Aan: Andrew Bartlett
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba-created files with POSIX ACLs 
> gaining execute bit
> 
> I figured something as much but all the docs I found pointed 
> to the archive, hidden, and readonly attributes touching the 
> execute bits (see here, for example: 
> https://www.samba.org/samba/docs/using_samba/ch08.html#samba2-
> CHP-8-FIG-2 
> <https://www.samba.org/samba/docs/using_samba/ch08.html#samba2
> -CHP-8-FIG-2>).  That’s why I disabled those mappings in my 
> smb.conf.  Granted the docs I found were older — is this 
> handled differently nowadays?
> 
> In any event is there some way to prevent this behavior so I 
> get sane permissions within the *nix environment?
> 
> Thanks very much for your response.
> 
> Christian
> 
> > On Dec 17, 2018, at 7:02 PM, Andrew Bartlett 
> <abartlet at samba.org> wrote:
> > 
> > On Mon, 2018-12-17 at 18:56 -0800, christian russell via 
> samba wrote:
> >> Hi all,
> >> 
> >> I have a Samba share set up using POSIX ACLs as the 
> permissions backend.  I am seeing an issue where files 
> created via the Samba get execute permissions whereas files 
> created via shell do not.  
> > 
> > Samba maps the windows execute permission to the posix one, which is
> > why this happens.
> > 
> > Andrew Bartlett
> > 
> > -- 
> > Andrew Bartlett
> > https://samba.org/~abartlet/
> > Authentication Developer, Samba Team         https://samba.org
> > Samba Development and Support, Catalyst IT   
> > https://catalyst.net.nz/services/samba
> > 
> > 
> > 
> > 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hi Louis,

Those were the docs I initially followed.  I don’t see any mention in them as to
why one would expect unusual (in Unix terms) execute permission values.

If anybody could point me towards documentation of the expected permission
behavior (esp. with POSIX ACLs) of modern Samba I would greatly appreciate it.

Christian
> On Dec 17, 2018, at 11:47 PM, L.P.H. van Belle via samba <samba at
lists.samba.org> wrote:
> 
> 
> Hai, 
> 
> The docs shown are a bit old, yes, i suggest start reading these. 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs 
> 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs 
> 
> Look at the smb.conf man and search for acl ( or exec ) 
> 
> 
> Greetz, 
> 
> Louis
> 
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>> christian russell via samba
>> Verzonden: dinsdag 18 december 2018 4:59
>> Aan: Andrew Bartlett
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Samba-created files with POSIX ACLs 
>> gaining execute bit
>> 
>> I figured something as much but all the docs I found pointed 
>> to the archive, hidden, and readonly attributes touching the 
>> execute bits (see here, for example: 
>> https://www.samba.org/samba/docs/using_samba/ch08.html#samba2-
>> CHP-8-FIG-2 
>> <https://www.samba.org/samba/docs/using_samba/ch08.html#samba2
>> -CHP-8-FIG-2>).  That’s why I disabled those mappings in my 
>> smb.conf.  Granted the docs I found were older — is this 
>> handled differently nowadays?
>> 
>> In any event is there some way to prevent this behavior so I 
>> get sane permissions within the *nix environment?
>> 
>> Thanks very much for your response.
>> 
>> Christian
>> 
>>> On Dec 17, 2018, at 7:02 PM, Andrew Bartlett 
>> <abartlet at samba.org> wrote:
>>> 
>>> On Mon, 2018-12-17 at 18:56 -0800, christian russell via 
>> samba wrote:
>>>> Hi all,
>>>> 
>>>> I have a Samba share set up using POSIX ACLs as the 
>> permissions backend.  I am seeing an issue where files 
>> created via the Samba get execute permissions whereas files 
>> created via shell do not.  
>>> 
>>> Samba maps the windows execute permission to the posix one, which
is
>>> why this happens.
>>> 
>>> Andrew Bartlett
>>> 
>>> -- 
>>> Andrew Bartlett
>>> https://samba.org/~abartlet/
>>> Authentication Developer, Samba Team         https://samba.org
>>> Samba Development and Support, Catalyst IT   
>>> https://catalyst.net.nz/services/samba
>>> 
>>> 
>>> 
>>> 
>> 
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

These are the latests.. And the Why, Andrew already explain. 
Due to the mappings with windows acls. 

If the exec bit is missing, no windows programm will be allowed to start of a
share.
If i download an msi file to install and put it on a share, its not allowed to
execute it.
Which is exact what i want in my case. 

You might want to read
https://www.snia.org/sites/default/files/SDC/2016/presentations/smb/Jeremy_Allison_SMB3_and_Linux_A_Seamless_File_Sharing_Protocol.pdf
https://sambaxp.org/archive_data/media/05-Andreas-Gruenbacher_-_Linux_Samba_and_ACLs.pdf

These might help you a bit in understanding that what you want is not always
possible..

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: christian russell [mailto:christian.baltini at gmail.com] 
> Verzonden: dinsdag 18 december 2018 9:02
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba-created files with POSIX ACLs 
> gaining execute bit
> 
> Hi Louis,
> 
> Those were the docs I initially followed.  I don’t see any 
> mention in them as to why one would expect unusual (in Unix 
> terms) execute permission values.
> 
> If anybody could point me towards documentation of the 
> expected permission behavior (esp. with POSIX ACLs) of modern 
> Samba I would greatly appreciate it.
> 
> Christian
> 
> > On Dec 17, 2018, at 11:47 PM, L.P.H. van Belle via samba 
> <samba at lists.samba.org> wrote:
> > 
> > 
> > Hai, 
> > 
> > The docs shown are a bit old, yes, i suggest start reading these. 
> > 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Wind
> ows_ACLs 
> > 
> > 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs 
> > 
> > Look at the smb.conf man and search for acl ( or exec ) 
> > 
> > 
> > Greetz, 
> > 
> > Louis
> > 
> > 
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> >> christian russell via samba
> >> Verzonden: dinsdag 18 december 2018 4:59
> >> Aan: Andrew Bartlett
> >> CC: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] Samba-created files with POSIX ACLs 
> >> gaining execute bit
> >> 
> >> I figured something as much but all the docs I found pointed 
> >> to the archive, hidden, and readonly attributes touching the 
> >> execute bits (see here, for example: 
> >> https://www.samba.org/samba/docs/using_samba/ch08.html#samba2-
> >> CHP-8-FIG-2 
> >> <https://www.samba.org/samba/docs/using_samba/ch08.html#samba2
> >> -CHP-8-FIG-2>).  That’s why I disabled those mappings in my 
> >> smb.conf.  Granted the docs I found were older — is this 
> >> handled differently nowadays?
> >> 
> >> In any event is there some way to prevent this behavior so I 
> >> get sane permissions within the *nix environment?
> >> 
> >> Thanks very much for your response.
> >> 
> >> Christian
> >> 
> >>> On Dec 17, 2018, at 7:02 PM, Andrew Bartlett 
> >> <abartlet at samba.org> wrote:
> >>> 
> >>> On Mon, 2018-12-17 at 18:56 -0800, christian russell via 
> >> samba wrote:
> >>>> Hi all,
> >>>> 
> >>>> I have a Samba share set up using POSIX ACLs as the 
> >> permissions backend.  I am seeing an issue where files 
> >> created via the Samba get execute permissions whereas files 
> >> created via shell do not.  
> >>> 
> >>> Samba maps the windows execute permission to the posix 
> one, which is
> >>> why this happens.
> >>> 
> >>> Andrew Bartlett
> >>> 
> >>> -- 
> >>> Andrew Bartlett
> >>> https://samba.org/~abartlet/
> >>> Authentication Developer, Samba Team         https://samba.org
> >>> Samba Development and Support, Catalyst IT   
> >>> https://catalyst.net.nz/services/samba
> >>> 
> >>> 
> >>> 
> >>> 
> >> 
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >> 
> > 
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Hi all,

The part that I don’t understand is why the behavior is different when there are
ACLs involved.

Take the below example:

# This share is chmod 777, 
[share1]
path = /srv/share1 # mode is 0777, no ACLs
readonly = no
create mask = 0660

[share2]
path = /srv/share2 # mode is 0770, ACLs
readonly = no
inherit acts = yes
create mask = 0660

share1 acts exactly as expected — I get a 0660 permissions.

[root at samba share1]# pwd && ls -l
/srv/share1
total 0
-rw-rw---- 1 christian root 0 Dec 19 19:17 file

share2, gets 0770 permissions only because there are ACLs applied on the file.

[root at samba share2]# pwd && ls -l
/srv/share2
total 0
-rwxrwx---+ 1 christian root 0 Dec 19 19:17 file

I don’t understand how the execute bit is necessary to map functionality when
ACLs are present and not when using traditional Unix permissions — if anything
the reverse makes more sense.

This bug report appears to identify exactly where in the code the phenomenon
arises from:  https://bugzilla.samba.org/show_bug.cgi?id=12716
<https://bugzilla.samba.org/show_bug.cgi?id=12716>

If this is in fact expected behavior it would be good to document as there seems
to be a decent amount of confusing resulting.

Christian
> On Dec 18, 2018, at 12:28 AM, L.P.H. van Belle via samba <samba at
lists.samba.org> wrote:
> 
> These are the latests.. And the Why, Andrew already explain. 
> Due to the mappings with windows acls. 
> 
> If the exec bit is missing, no windows programm will be allowed to start of
a share.
> If i download an msi file to install and put it on a share, its not allowed
to execute it.
> Which is exact what i want in my case. 
> 
> You might want to read
>
https://www.snia.org/sites/default/files/SDC/2016/presentations/smb/Jeremy_Allison_SMB3_and_Linux_A_Seamless_File_Sharing_Protocol.pdf
>
https://sambaxp.org/archive_data/media/05-Andreas-Gruenbacher_-_Linux_Samba_and_ACLs.pdf
> 
> These might help you a bit in understanding that what you want is not
always possible..
> 
> Greetz, 
> 
> Louis
> 
> 
> 
>> -----Oorspronkelijk bericht-----
>> Van: christian russell [mailto:christian.baltini at gmail.com] 
>> Verzonden: dinsdag 18 december 2018 9:02
>> Aan: L.P.H. van Belle
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Samba-created files with POSIX ACLs 
>> gaining execute bit
>> 
>> Hi Louis,
>> 
>> Those were the docs I initially followed.  I don’t see any 
>> mention in them as to why one would expect unusual (in Unix 
>> terms) execute permission values.
>> 
>> If anybody could point me towards documentation of the 
>> expected permission behavior (esp. with POSIX ACLs) of modern 
>> Samba I would greatly appreciate it.
>> 
>> Christian
>> 
>>> On Dec 17, 2018, at 11:47 PM, L.P.H. van Belle via samba 
>> <samba at lists.samba.org> wrote:
>>> 
>>> 
>>> Hai, 
>>> 
>>> The docs shown are a bit old, yes, i suggest start reading these. 
>>> 
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Wind
>> ows_ACLs 
>>> 
>>> 
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs 
>>> 
>>> Look at the smb.conf man and search for acl ( or exec ) 
>>> 
>>> 
>>> Greetz, 
>>> 
>>> Louis
>>> 
>>> 
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>>>> christian russell via samba
>>>> Verzonden: dinsdag 18 december 2018 4:59
>>>> Aan: Andrew Bartlett
>>>> CC: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Samba-created files with POSIX ACLs 
>>>> gaining execute bit
>>>> 
>>>> I figured something as much but all the docs I found pointed 
>>>> to the archive, hidden, and readonly attributes touching the 
>>>> execute bits (see here, for example: 
>>>> https://www.samba.org/samba/docs/using_samba/ch08.html#samba2-
>>>> CHP-8-FIG-2 
>>>>
<https://www.samba.org/samba/docs/using_samba/ch08.html#samba2
>>>> -CHP-8-FIG-2>).  That’s why I disabled those mappings in my 
>>>> smb.conf.  Granted the docs I found were older — is this 
>>>> handled differently nowadays?
>>>> 
>>>> In any event is there some way to prevent this behavior so I 
>>>> get sane permissions within the *nix environment?
>>>> 
>>>> Thanks very much for your response.
>>>> 
>>>> Christian
>>>> 
>>>>> On Dec 17, 2018, at 7:02 PM, Andrew Bartlett 
>>>> <abartlet at samba.org> wrote:
>>>>> 
>>>>> On Mon, 2018-12-17 at 18:56 -0800, christian russell via 
>>>> samba wrote:
>>>>>> Hi all,
>>>>>> 
>>>>>> I have a Samba share set up using POSIX ACLs as the 
>>>> permissions backend.  I am seeing an issue where files 
>>>> created via the Samba get execute permissions whereas files 
>>>> created via shell do not.  
>>>>> 
>>>>> Samba maps the windows execute permission to the posix 
>> one, which is
>>>>> why this happens.
>>>>> 
>>>>> Andrew Bartlett
>>>>> 
>>>>> -- 
>>>>> Andrew Bartlett
>>>>> https://samba.org/~abartlet/
>>>>> Authentication Developer, Samba Team        
https://samba.org
>>>>> Samba Development and Support, Catalyst IT   
>>>>> https://catalyst.net.nz/services/samba
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>> 
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>> 
>>> 
>>> 
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>> 
>> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba