Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'
On Dienstag, 18. August 2009 wrote jw: Hello I am trying to create a 'dropbox' share, using the sticky bit and 'inherit owner'. By themselves they work, but when a directory is created in this share, its permissions are not quite what I need. Therefore, I try to use 'force directory mode' or 'inherit permissions'. However, whenever I do that, the owner on the newly-created directory is no longer correct w/regard to 'inherit owner'. Is this correct behavior, or a bug? You should try posix acls. Read the man pages: getfacl setfacl acl or search this list archiv. Look for default acl. ... Thanks, John -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'
On Wed, Aug 19, 2009 at 11:05 PM, Harry Jedewalk2...@arcor.de wrote: On Dienstag, 18. August 2009 wrote jw: Is this correct behavior, or a bug? You should try posix acls. Read the man pages: getfacl setfacl acl or search this list archiv. Look for default acl. I have not used ACLs much, but think I understand the concept. From what I understand, there is no acl 'sticky bit' equivelent. Therefore, in order to get the sticky bit inherited in new directories, I need to use 'inherit permissions' in samba. But because of this strange issue I have been discussing with Jeremy, I cannot get the user/group to be anything other than who you connect to samba as. And therefore, ACLs won't help me (I think). There is no ACL I can add that would restrict write permission if a file already exists, but allow creation of new files. That is my current understanding, at least. I will read up on the docs though. -John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'
On 8/18/2009, jw (jwde...@gmail.com) wrote: directory mask = 0775 The reason you're not getting 775 perms on the new directory is that the default directory mask is 0755, which masks out the write permission for the group. Just setting inherit owner, and directory mask = 0775 should be enough. I gave this a shot, but it's still not quite doing what I would expect. I have: inherit owner = yes directory mask = 7775 ? He said 0775, not 7775 -- Best regards, Charles -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'
On Wed, Aug 19, 2009 at 3:22 AM, Charles Marcuscmar...@media-brokers.com wrote: ? He said 0775, not 7775 Well, I need the sticky bit set (see my previous reply). So I have tried 1775, 3775, and 7775, all with the same results. If I use 0775, the sticky bit is masked out, which will not work for me. Or do I misunderstand 'directory mask' ? Regardless, it doesn't work for 0775, either (correct owner, but sticky bit not set). -John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'
John, The following quote comes from the SWAT description of the inherit permissions parameter. From the way it is written, it seems quite plausible that it also applies to inherit owner. inherit permissions (S) Note that the setuid bit is /never/ set via inheritance (the code explicitly prohibits this). Dale jw wrote: On Wed, Aug 19, 2009 at 3:22 AM, Charles Marcuscmar...@media-brokers.com wrote: ? He said 0775, not 7775 Well, I need the sticky bit set (see my previous reply). So I have tried 1775, 3775, and 7775, all with the same results. If I use 0775, the sticky bit is masked out, which will not work for me. Or do I misunderstand 'directory mask' ? Regardless, it doesn't work for 0775, either (correct owner, but sticky bit not set). -John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'
On Tue, Aug 18, 2009 at 08:09:00PM -0700, jw wrote: On Tue, Aug 18, 2009 at 3:11 PM, Jeremy Allisonj...@samba.org wrote: To allow these to apply to the new directory, set : directory mask = 0775 The reason you're not getting 775 perms on the new directory is that the default directory mask is 0755, which masks out the write permission for the group. Just setting inherit owner, and directory mask = 0775 should be enough. Hi, I gave this a shot, but it's still not quite doing what I would expect. I have: inherit owner = yes directory mask = 7775 And this produces: drwxrwxr-x 2 nobody sambaguest 512 Aug 18 19:54 New Folder (20) The problem is the sticky bit is not set. I want the sticky bit to be set so that new files created under this directory cannot be edited once created. Ah ok, you originally complained about not getting the right group permissions, not the sticky bit. The sticky bit is not automatically inherited by UNIX. Let me look into this a little more... Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'
On Tue, Aug 18, 2009 at 08:09:00PM -0700, jw wrote: On Tue, Aug 18, 2009 at 3:11 PM, Jeremy Allisonj...@samba.org wrote: To allow these to apply to the new directory, set : directory mask = 0775 The reason you're not getting 775 perms on the new directory is that the default directory mask is 0755, which masks out the write permission for the group. Just setting inherit owner, and directory mask = 0775 should be enough. Hi, I gave this a shot, but it's still not quite doing what I would expect. I have: inherit owner = yes directory mask = 7775 And this produces: drwxrwxr-x 2 nobody sambaguest 512 Aug 18 19:54 New Folder (20) The problem is the sticky bit is not set. I want the sticky bit to be set so that new files created under this directory cannot be edited once created. Ok, this works with 3.4.0. You need to set: inherit owner = yes inherit permissions = yes directory mask = 07775 Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'
On Wed, Aug 19, 2009 at 10:35 AM, Dale Schroederd...@briannassaladdressing.com wrote: John, The following quote comes from the SWAT description of the inherit permissions parameter. From the way it is written, it seems quite plausible that it also applies to inherit owner. inherit permissions (S) Note that the setuid bit is never set via inheritance (the code explicitly prohibits this). I don't actually care about the setuid bit. I think I was playing with it earlier so you might see it in the permissions. What I am interested in is the sticky bit - getting that inherited. The docs only mention the sticky bit with regard to permissions. Another way for me to accomplish this is to turn on suiddir in my kernel (perhaps what you were hinting at?), but I'm trying to avoid it... -John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'
On Wed, Aug 19, 2009 at 11:20 AM, Jeremy Allisonj...@samba.org wrote: Ok, this works with 3.4.0. You need to set: inherit owner = yes inherit permissions = yes directory mask = 07775 Isn't that one too many characters in the mask? Regardless, I tried 07775 (as written), 0775, and 7775 just now via smbclient. The directory bits are correct (including sticky), but the owner is NOT inherited. It is the samba guest account, not the directory owner. drwxrwxr-t 2 sambaguest sambaguest 512 Aug 19 13:15 foodir3 I'll try from a genuine Win box when I get home, but I expect the results will be the same. I am using samba 3.3.6 - apparently there is no 3.4.0 port for FreeBSD (I could not find one). Perhaps I will try downloading a tarball or using samba4-devel... It seems strange that something like this would be so broken on an up-to-date 3.3.6 though.. Would you mind showing me your full config for your working case, and the directory permissions / ownership on your share (privately, if you like) ? -John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'
On Wed, Aug 19, 2009 at 1:02 PM, jwjwde...@gmail.com wrote: What I am interested in is the sticky bit - getting that inherited. The docs only mention the sticky bit with regard to permissions. Whoops - that should read with regard to *printer* permissions -John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'
On Wed, Aug 19, 2009 at 01:29:51PM -0700, jw wrote: On Wed, Aug 19, 2009 at 11:20 AM, Jeremy Allisonj...@samba.org wrote: Ok, this works with 3.4.0. You need to set: inherit owner = yes inherit permissions = yes directory mask = 07775 Isn't that one too many characters in the mask? No. The sticky bit is 01000 so you need the extra 7 to make sure it isn't masked. The directory bits are correct (including sticky), but the owner is NOT inherited. It is the samba guest account, not the directory owner. This is working here, don't know why not in your case. It seems strange that something like this would be so broken on an up-to-date 3.3.6 though.. I don't think it is. Would you mind showing me your full config for your working case, and the directory permissions / ownership on your share (privately, if you like) ? ls -ld /tmp/myshare drwsrwsr-t 3 nobody eng 4096 Aug 19 11:19 /tmp/myshare smb.conf stanza: [tmpperms] path = /tmp/myshare read only = no inherit owner = yes inherit permissions = yes directory mask = 07775 I connect with smbclient and do mkdir foo and I get : ls -ld /tmp/myshare/foo/ drwxrwsr-t 2 nobody eng 4096 Aug 19 11:19 /tmp/myshare/foo/ Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'
On Wed, Aug 19, 2009 at 1:35 PM, Jeremy Allisonj...@samba.org wrote: On Wed, Aug 19, 2009 at 01:29:51PM -0700, jw wrote: On Wed, Aug 19, 2009 at 11:20 AM, Jeremy Allisonj...@samba.org wrote: Would you mind showing me your full config for your working case, and the directory permissions / ownership on your share (privately, if you like) ? ls -ld /tmp/myshare drwsrwsr-t 3 nobody eng 4096 Aug 19 11:19 /tmp/myshare smb.conf stanza: [tmpperms] path = /tmp/myshare read only = no inherit owner = yes inherit permissions = yes directory mask = 07775 I connect with smbclient and do mkdir foo and I get : ls -ld /tmp/myshare/foo/ drwxrwsr-t 2 nobody eng 4096 Aug 19 11:19 /tmp/myshare/foo/ But by default, samba's guest account is 'nobody', right? So with what you have, if you create the directory with smbclient, I imagine you can rename it once it's created? I want to prevent that. That is why the config in my original email has guest account = sambaguest Could you try on your side again with 'guest account' set to something other than 'nobody' ? Presumably an account that is still in the 'eng' group, so the group write permissions still allow you to create a new directory in the first place. -John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'
On Wed, Aug 19, 2009 at 01:41:51PM -0700, jw wrote: On Wed, Aug 19, 2009 at 1:35 PM, Jeremy Allisonj...@samba.org wrote: On Wed, Aug 19, 2009 at 01:29:51PM -0700, jw wrote: On Wed, Aug 19, 2009 at 11:20 AM, Jeremy Allisonj...@samba.org wrote: Would you mind showing me your full config for your working case, and the directory permissions / ownership on your share (privately, if you like) ? ls -ld /tmp/myshare drwsrwsr-t 3 nobody eng 4096 Aug 19 11:19 /tmp/myshare smb.conf stanza: [tmpperms] path = /tmp/myshare read only = no inherit owner = yes inherit permissions = yes directory mask = 07775 I connect with smbclient and do mkdir foo and I get : ls -ld /tmp/myshare/foo/ drwxrwsr-t 2 nobody eng 4096 Aug 19 11:19 /tmp/myshare/foo/ But by default, samba's guest account is 'nobody', right? So with what you have, if you create the directory with smbclient, I imagine you can rename it once it's created? I want to prevent that. That is why the config in my original email has guest account = sambaguest Could you try on your side again with 'guest account' set to something other than 'nobody' ? Presumably an account that is still in the 'eng' group, so the group write permissions still allow you to create a new directory in the first place. Well I'm creating the directory with a logged in user of jra, who is in the eng group. I don't think the setting of the guest account has anything to do with it as I'm not logging in as guest at all. Jeremy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'
On Wed, Aug 19, 2009 at 1:44 PM, Jeremy Allisonj...@samba.org wrote: Well I'm creating the directory with a logged in user of jra, who is in the eng group. I don't think the setting of the guest account has anything to do with it as I'm not logging in as guest at all. Hmm.. Well I switched to 'security = user' and created an account, made a new share that looks exactly like yours, made the directory permissions match yours (except my group name is different), and created the dir with smbclient and the authenticated samba user, but no joy. Still the owner of the new dir is that of the creating user, not the parent directory. This is starting to feel like a bug. Or some simple setting (or default) that I am missing. I will have wait until tonight to look at it more. -John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'
On Wed, Aug 19, 2009 at 02:16:54PM -0700, jw wrote: On Wed, Aug 19, 2009 at 1:44 PM, Jeremy Allisonj...@samba.org wrote: Well I'm creating the directory with a logged in user of jra, who is in the eng group. I don't think the setting of the guest account has anything to do with it as I'm not logging in as guest at all. Hmm.. Well I switched to 'security = user' and created an account, made a new share that looks exactly like yours, made the directory permissions match yours (except my group name is different), and created the dir with smbclient and the authenticated samba user, but no joy. Still the owner of the new dir is that of the creating user, not the parent directory. Not happening on my system. The inherit owner works as specified. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'
On Wed, Aug 19, 2009 at 2:53 PM, Jeremy Allisonj...@samba.org wrote: Not happening on my system. The inherit owner works as specified. What OS are you running? I have tried on a second FreeBSD-7.2 system, with never-before-installed samba 3.2, and it does not work there either. -John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'
On Wed, Aug 19, 2009 at 07:55:45PM -0700, jw wrote: On Wed, Aug 19, 2009 at 2:53 PM, Jeremy Allisonj...@samba.org wrote: Not happening on my system. The inherit owner works as specified. What OS are you running? I have tried on a second FreeBSD-7.2 system, with never-before-installed samba 3.2, and it does not work there either. Ubuntu Linux 8.10 equivalent. I've been testing 3.4.0, but I'll also try 3.2.latest tomorrow and I'll see if it does the same. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'
On Tue, Aug 18, 2009 at 8:48 AM, jwjwde...@gmail.com wrote: Hello I am trying to create a 'dropbox' share, using the sticky bit and 'inherit owner'. By themselves they work, but when a directory is created in this share, its permissions are not quite what I need. Therefore, I try to use 'force directory mode' or 'inherit permissions'. However, whenever I do that, the owner on the newly-created directory is no longer correct w/regard to 'inherit owner'. Is this correct behavior, or a bug? Here are details: The directory I'm sharing: drwsrwsr-t 2 nobody sambaguest 512 Aug 17 22:18 myshare My smb.config (well, the relevant part): # ... snip guest account = sambaguest # ... snip [myshare] comment = my share path = /path/to/myshare public = yes read only = no writable = yes browseable = yes printable = no inherit owner = yes #inherit permissions = yes #directory mode = 3770 #force directory mode = 3770 As it is written above, when I create a directory from a windows box it looks like: drwxr-xr-x 2 nobody sambaguest 512 Aug 17 22:19 New Folder Correct ownership but I want group write and the sticky bit to be set, as in the parent directory. So I uncomment 'inherit permissions', create another directory, and get: drwxr-xr-x 2 nobody sambaguest 512 Aug 17 22:26 New Folder (2) No change. Anyone know why inherit permissions would have no effect here? I would expect the sticky bit, sgid, and the group-write of the parent directory to apply to the new directory. So I comment 'inherit permissions' back out, and instead try the pair of lines with 'directory mode' and 'force directory mode'. Then a newly created dir looks like: drwxrwsr-t 2 sambaguest sambaguest 512 Aug 17 22:32 New Folder (3) ARG! Perfect permissions, but the user is wrong, which lets people modify (rename, delete, etc) the directory. Normally, the sticky bit would prevent this since the owner would be 'nobody'. But now the owner is 'sambaguest', so users can wreak havoc on these newly created dirs... Can anybody explain to me what I'm missing? I have researched this a bit and tried various things, but nothing has worked so far... This is Samba 3.3.6 on FreeBSD 7.2-RELEASE Thanks, John -- force user = nobody maybe this could help you? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'
On Mon, Aug 17, 2009 at 10:48:04PM -0700, jw wrote: Hello I am trying to create a 'dropbox' share, using the sticky bit and 'inherit owner'. By themselves they work, but when a directory is created in this share, its permissions are not quite what I need. Therefore, I try to use 'force directory mode' or 'inherit permissions'. However, whenever I do that, the owner on the newly-created directory is no longer correct w/regard to 'inherit owner'. Is this correct behavior, or a bug? Here are details: The directory I'm sharing: drwsrwsr-t 2 nobody sambaguest 512 Aug 17 22:18 myshare My smb.config (well, the relevant part): # ... snip guest account = sambaguest # ... snip [myshare] comment = my share path = /path/to/myshare public = yes read only = no writable = yes browseable = yes printable = no inherit owner = yes #inherit permissions = yes #directory mode = 3770 #force directory mode = 3770 As it is written above, when I create a directory from a windows box it looks like: drwxr-xr-x 2 nobody sambaguest 512 Aug 17 22:19 New Folder Correct ownership but I want group write and the sticky bit to be set, as in the parent directory. To allow these to apply to the new directory, set : directory mask = 0775 The reason you're not getting 775 perms on the new directory is that the default directory mask is 0755, which masks out the write permission for the group. Just setting inherit owner, and directory mask = 0775 should be enough. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'
On Tue, Aug 18, 2009 at 3:11 PM, Jeremy Allisonj...@samba.org wrote: To allow these to apply to the new directory, set : directory mask = 0775 The reason you're not getting 775 perms on the new directory is that the default directory mask is 0755, which masks out the write permission for the group. Just setting inherit owner, and directory mask = 0775 should be enough. Hi, I gave this a shot, but it's still not quite doing what I would expect. I have: inherit owner = yes directory mask = 7775 And this produces: drwxrwxr-x 2 nobody sambaguest 512 Aug 18 19:54 New Folder (20) The problem is the sticky bit is not set. I want the sticky bit to be set so that new files created under this directory cannot be edited once created. I tried various permutations of 'directory mask', 'force user' (thanks Liutauras), 'directory mode' and 'force directory mode', and it seems to be the case that whenever I get the correct user, the sticky bit is not set, and vice-versa. This seems to be independent of the other directory permissions... For instance, I now have this config: inherit owner = yes #force user = nobody directory mode = force directory mode = 3770 directory mask = And a new directory looks like: drwxrwsrwt 2 sambaguest sambaguest 512 Aug 18 20:05 New Folder (26) Correct sticky bit, wrong owner. Then I toggle the commented 'force user' line, and I get: drwxrwxrwx 2 nobody sambaguest 512 Aug 18 20:05 New Folder (27) Correct owner, but no sticky bit. Any more thoughts? Thanks everyone for looking at this -John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
