Thank you for the answer. I understand that default (POSIX) ACLs will lead to similar results, but the parent directory of this file had no default ACL, and when opening its properties / security dialog I also don't see any inheritance specified. However I can accept that SaMBa works this way and I can even see that Word did some deliberate ACL manipulation, but this "piling up" of ACL information doesn't happen either on a native Windows file server or with vfs_acl_xattr. And at least partially this may be the reason why using POSIX ACLs with SaMBa is deprecated :-( Best regards, Tam?s Christian Naumer <christian.naumer at greyfish.net> ezt ?rta (id?pont: 2023. j?n. 15., Cs, 8:42):> Am Mittwoch, dem 14.06.2023 um 18:48 +0200 schrieb Tam?s N?meth via samba: > > # file: newfile.docx #This file has a (probably > > unnecessary) POSIX ACL > > # owner: user_1 > > # group: domain\040users > > user::rw- > > user:user_1:rw- #I'm already the owning user > > having the same permissions. Why am I also explicitly added to the POSIX > > ACL? > > group::rw- > > group:domain\040users:rw-- #It's already the owning group having > the > > same permissions. Why is it also explicitly added to the POSIX ACL? > > mask::rwx #Shouldn't it only be rw? > > other::--- > > This has nothing to to with Samba if ACLs are enabled and the directory > has some default ACLs > this also happens if you create the file on the server via ssh or on the > cli. At least this is > the case for me. > > Regards > > Christian > >
On 15/06/2023 16:18, Tam?s N?meth via samba wrote:> Thank you for the answer. > > I understand that default (POSIX) ACLs will lead to similar results, but > the parent directory of this file had no default ACL, and when opening its > properties / security dialog I also don't see any inheritance specified. > However I can accept that SaMBa works this way and I can even see that Word > did some deliberate ACL manipulation, but this "piling up" of ACL > information doesn't happen either on a native Windows file server or with > vfs_acl_xattr. And at least partially this may be the reason why using > POSIX ACLs with SaMBa is deprecated :-( > > Best regards, > > Tam?s >I think we need to identify just what you are calling 'default (POSIX) ACLs' actually are. Samba uses 3 permission 'levels' The standard Unix 'ugo' permissions The permissions that getfacl will show, known by some as NT4-ACLs, by others as Posix ACLs (which never made it out of the draft stage) Windows ACLs, stored in an EA There are NFSv4 ACLs, but these are really only used on 'BSD' filesystems. If you create a file on Linux, you will get a file permission string like this from 'ls': -rw-r--r-- getfacl would show the permissions like this: # file: $file_NAME # owner: adminuser # group: adminuser user::rw- group::r-- other::r-- Now you can, with 'setfacl' add default permissions, are these what you are referring to as 'Posix ACLs' ? Rowland
On 15/06/2023 16:18, Tam?s N?meth via samba wrote: Hi Tamas, I have been reviewing you numerous posts on this list about this project, are you aware that you have been posting for 6 months ? In your last post there was this: [quote] this "piling up" of ACL information doesn't happen either on a native Windows file server or with vfs_acl_xattr [/quote] Does this mean you do not have 'vfs objects = acl_xattr' in your smb.conf ? You also had this: [quote] this may be the reason why using POSIX ACLs with SaMBa is deprecated [/quote] As far as I am aware, using POSIX ACLs isn't deprecated, is it possible you can tell us where you found that information ? It might also be a good idea if we could see your present smb.conf, so please post the output of 'testparm -s' (sanitised if must). Rowland