Re: [Samba] Enforcing filesystem permissions

Mon, 04 Oct 2010 11:55:04 -0700 

 Dennis,

Maybe this instead:


     inherit permissions (S)

   The permissions on new files and directories are normally governed
   by create mask
   <http://debpdc:901/swat/help/manpages/smb.conf.5.html#CREATEMASK>,
   directory mask
   <http://debpdc:901/swat/help/manpages/smb.conf.5.html#DIRECTORYMASK>, force
   create mode
   <http://debpdc:901/swat/help/manpages/smb.conf.5.html#FORCECREATEMODE>
   and force directory mode
   <http://debpdc:901/swat/help/manpages/smb.conf.5.html#FORCEDIRECTORYMODE>
   but the boolean inherit permissions parameter overrides this.

   New directories inherit the mode of the parent directory, including
   bits such as setgid.

   New files inherit their read/write bits from the parent directory.
   Their execute bits continue to be determined by map archive
   <http://debpdc:901/swat/help/manpages/smb.conf.5.html#MAPARCHIVE>,
   map hidden
   <http://debpdc:901/swat/help/manpages/smb.conf.5.html#MAPHIDDEN> and
   map system
   <http://debpdc:901/swat/help/manpages/smb.conf.5.html#MAPSYSTEM> as
   usual.

   Note that the setuid bit is /never/ set via inheritance (the code
   explicitly prohibits this).

   This can be particularly useful on large systems with many users,
   perhaps several thousand, to allow a single [homes] share to be used
   flexibly by each user.

   Default: //|inherit permissions|/ = |no| /


Dale


On 10/04/2010 11:00 AM, Dennis Jacobfeuerborn wrote:

Hi,
I'm trying to get samba to force a certain set of permissions for files and directories but so far I don't have much success. This is what I'm trying to enforce: 

        create mask = 0770
        security mask = 0770
        directory mask = 0770
        directory security mask = 0770
        force create mode = 0660
        force security mode = 0660
        force directory mode = 0770
        force directory security mode = 0770
        force group = publisher
Yet when a client creates a directory it ends up with the permissions set to 755 instead. My guess is that the client changes the permissions after the directory is created so I'm wondering how I can prevent that from happening. What I'm trying to accomplish is to make it possible for members of the group "publisher" to always read/write each others files and enter directories. 

Regards,
  Dennis

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to