For your situation, would some combination of the "inherit" parameters
shown below work better for you than the mode/mask parameters?
Dale
inherit acls (S)
This parameter can be used to ensure that if default acls exist on
parent directories, they are always honored when creating a new file
or subdirectory in these parent directories. The default behavior is
to use the unix mode specified when creating the directory. Enabling
this option sets the unix mode to 0777, thus guaranteeing that
default directory acls are propagated. Note that using the VFS
modules acl_xattr or acl_tdb which store native Windows as meta-data
will automatically turn this option on for any share for which they
are loaded, as they require this option to emulate Windows ACLs
correctly.
Default: //|inherit acls|/ = |no| /
inherit owner (S)
The ownership of new files and directories is normally governed by
effective uid of the connected user. This option allows the Samba
administrator to specify that the ownership for new files and
directories should be controlled by the ownership of the parent
directory.
Common scenarios where this behavior is useful is in implementing
drop-boxes where users can create and edit files but not delete them
and to ensure that newly create files in a user's roaming profile
directory are actually owner by the user.
Default: //|inherit owner|/ = |no| /
inherit permissions (S)
The permissions on new files and directories are normally governed
by create mask
<http://debpdc.delsoldeb.com:901/swat/help/manpages/smb.conf.5.html#CREATEMASK>,
directory mask
<http://debpdc.delsoldeb.com:901/swat/help/manpages/smb.conf.5.html#DIRECTORYMASK>,
force create mode
<http://debpdc.delsoldeb.com:901/swat/help/manpages/smb.conf.5.html#FORCECREATEMODE>
and force directory mode
<http://debpdc.delsoldeb.com:901/swat/help/manpages/smb.conf.5.html#FORCEDIRECTORYMODE>
but the boolean inherit permissions parameter overrides this.
New directories inherit the mode of the parent directory, including
bits such as setgid.
New files inherit their read/write bits from the parent directory.
Their execute bits continue to be determined by map archive
<http://debpdc.delsoldeb.com:901/swat/help/manpages/smb.conf.5.html#MAPARCHIVE>,
map hidden
<http://debpdc.delsoldeb.com:901/swat/help/manpages/smb.conf.5.html#MAPHIDDEN>
and map system
<http://debpdc.delsoldeb.com:901/swat/help/manpages/smb.conf.5.html#MAPSYSTEM>
as usual.
Note that the setuid bit is /never/ set via inheritance (the code
explicitly prohibits this).
This can be particularly useful on large systems with many users,
perhaps several thousand, to allow a single [homes] share to be used
flexibly by each user.
Default: //|inherit permissions|/ = |no| /
On 05/20/2013 3:24 PM, ?icro MEGAS wrote:
That was a type error in my previous post, the line in my smb.conf is of course:
read only = No
Вск 19 Май 2013 14:58:39 +0400, ?icro MEGAS написал:
Hello folks,
Samba 3.5.6 running and I have following share:
[public]
path = /data/public
read onlyXSSCleaned= No
create mask = 0777
directory mask = 0777
directory security mask = 0750
vfs object = acl_xattr
nt acl support = yes
dos filemode = yes
My filesystem ext4 which is mounted to /data supports acl,user_xattr and
setfacl/getfacl works fine.
ls -ld /data/public shows unix mode 0755 with owner=admin and group="Domain
Users"
All users have full access to the share \\samba\public and therefore are allowed to
create,modify,delete directories and files. My aim is that I want to have a directory called
"special" which is in /data/public/special. Only restricted users and groups are allowed
full access to this directory, the "Domain Users" should only be able to have
read/execute rights, but no write/delete rights on this directory+subdirs.
"/data/public" has no ACL set. Here's an output of my ACL I have set manually with setfacl on this "special" directory. Only user
"john" and "doe" and group "foobar" have full access to this "special" directory, and "Domain
Users" or other should only have read rights.
root@samba:/data/public# getfacl special
# file: special/
# owner: admin
# group: Domain\040Users
user::rwx
user:john:rwx
user:doe:rwx
group::r-x
group:foobar:rwx
mask::rwx
other::---
default:user::rwx
default:user:john:rwx
default:user:doe:rwx
default:group::r-x
default:group:foobar:rwx
default:mask::rwx
default:other::---
When user "john", "doe" or anyone of group "foobar" creates a new directory
inside the special dir, it has following modes:
root@samba:/data/public/special ls -l
drwxrwx-wx+ 2 john Domain Users 4096 19. Mai 12:43 newdir
==> This corresponds to unix mode 0773.
The ACL mode looks like that:
# file: newdir
# owner: john
# group: Domain\040Users
user::rwx
user:john:rwx
user:doe:rwx
group::rwx
group:foobar:rwx
mask::rwx
other::-wx
default:user::rwx
default:user:john:rwx
default:user:doe:rwx
default:group::r-x
default:group:foobar:rwx
default:mask::rwx
default:other::---
==> This corresponds to ACL security mode 0773.
Where does this strange 0773 come from? I would like to have ACL security mode 0750 on all new
directories and files created inside "special" directory. I also have tried to use
"force directory security mode = 0750" in my smb.conf but that doesn't help either. I
have realized another odd behaviour, too:
when user "john", "doe", or anyone of group "foobar" creates a new directory and DON'T
name it, it will be called "New Directory". This directory has following ACLs:
root@samba:/data/public/special# getfacl New\ Directory
# file: New Directory
# owner: john
# group: Domain\040Users
user::rwx
user:john:rwx
user:doe:rwx
group::r-x
group:foobar:rwx
mask::rwx
other::---
default:user::rwx
default:user:john:rwx
default:user:doe:rwx
default:group::r-x
default:group:foobar:rwx
default:mask::rwx
default:other::---
This would be the correct ACL I want to have to, it corresponds to 0750. But why does
this be applied only, if a new directory is created through windows and not renamed to
something else than the default directory name "New Directory" ? I don't
understand that. Please anyone tell me how to set correctly ACL mode 0750 for all the new
dirs/files inside my special dir.
Any help appreciated. Thanks a lot in advance.
Lucas.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
