subject:"Re\: \[Samba\] Enforcing filesystem permissions"

Re: [Samba] Enforcing filesystem permissions

2010-10-04 Thread Dale Schroeder


 Dennis,

Maybe this instead:


 inherit permissions (S)

   The permissions on new files and directories are normally governed
   by create mask
   http://debpdc:901/swat/help/manpages/smb.conf.5.html#CREATEMASK,
   directory mask
   http://debpdc:901/swat/help/manpages/smb.conf.5.html#DIRECTORYMASK, force
   create mode
   http://debpdc:901/swat/help/manpages/smb.conf.5.html#FORCECREATEMODE
   and force directory mode
   http://debpdc:901/swat/help/manpages/smb.conf.5.html#FORCEDIRECTORYMODE
   but the boolean inherit permissions parameter overrides this.

   New directories inherit the mode of the parent directory, including
   bits such as setgid.

   New files inherit their read/write bits from the parent directory.
   Their execute bits continue to be determined by map archive
   http://debpdc:901/swat/help/manpages/smb.conf.5.html#MAPARCHIVE,
   map hidden
   http://debpdc:901/swat/help/manpages/smb.conf.5.html#MAPHIDDEN and
   map system
   http://debpdc:901/swat/help/manpages/smb.conf.5.html#MAPSYSTEM as
   usual.

   Note that the setuid bit is /never/ set via inheritance (the code
   explicitly prohibits this).

   This can be particularly useful on large systems with many users,
   perhaps several thousand, to allow a single [homes] share to be used
   flexibly by each user.

   Default: //|inherit permissions|/ = |no| /


Dale


On 10/04/2010 11:00 AM, Dennis Jacobfeuerborn wrote:

Hi,
I'm trying to get samba to force a certain set of permissions for 
files and directories but so far I don't have much success. This is 
what I'm trying to enforce:


create mask = 0770
security mask = 0770
directory mask = 0770
directory security mask = 0770
force create mode = 0660
force security mode = 0660
force directory mode = 0770
force directory security mode = 0770
force group = publisher

Yet when a client creates a directory it ends up with the permissions 
set to 755 instead. My guess is that the client changes the 
permissions after the directory is created so I'm wondering how I can 
prevent that from happening.
What I'm trying to accomplish is to make it possible for members of 
the group publisher to always read/write each others files and enter 
directories.


Regards,
  Dennis

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Enforcing filesystem permissions

2010-10-04 Thread Dennis Jacobfeuerborn

That's a possible way but this would be more of a workaround rather than a 
solution. I'd still like to know why the permissions end up all wrong.
Also this only deals with the permissions during the creation of the 
directory. If the reason for the messed up permissions is indeed that the 
client changes them afterwards then this will probably still happen even 
with this option set.


Regards,
  Dennis

On 10/04/2010 08:54 PM, Dale Schroeder wrote:

  Dennis,

Maybe this instead:


  inherit permissions (S)

The permissions on new files and directories are normally governed by
create mask
http://debpdc:901/swat/help/manpages/smb.conf.5.html#CREATEMASK,
directory mask
http://debpdc:901/swat/help/manpages/smb.conf.5.html#DIRECTORYMASK,
force create mode
http://debpdc:901/swat/help/manpages/smb.conf.5.html#FORCECREATEMODE
and force directory mode
http://debpdc:901/swat/help/manpages/smb.conf.5.html#FORCEDIRECTORYMODE
but the boolean inherit permissions parameter overrides this.

New directories inherit the mode of the parent directory, including
bits such as setgid.

New files inherit their read/write bits from the parent directory.
Their execute bits continue to be determined by map archive
http://debpdc:901/swat/help/manpages/smb.conf.5.html#MAPARCHIVE, map
hidden http://debpdc:901/swat/help/manpages/smb.conf.5.html#MAPHIDDEN
and map system
http://debpdc:901/swat/help/manpages/smb.conf.5.html#MAPSYSTEM as usual.

Note that the setuid bit is /never/ set via inheritance (the code
explicitly prohibits this).

This can be particularly useful on large systems with many users,
perhaps several thousand, to allow a single [homes] share to be used
flexibly by each user.

Default: //|inherit permissions|/ = |no| /


Dale


On 10/04/2010 11:00 AM, Dennis Jacobfeuerborn wrote:

Hi,
I'm trying to get samba to force a certain set of permissions for files
and directories but so far I don't have much success. This is what I'm
trying to enforce:

create mask = 0770
security mask = 0770
directory mask = 0770
directory security mask = 0770
force create mode = 0660
force security mode = 0660
force directory mode = 0770
force directory security mode = 0770
force group = publisher

Yet when a client creates a directory it ends up with the permissions set
to 755 instead. My guess is that the client changes the permissions after
the directory is created so I'm wondering how I can prevent that from
happening.
What I'm trying to accomplish is to make it possible for members of the
group publisher to always read/write each others files and enter
directories.

Regards,
Dennis


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Enforcing filesystem permissions

Re: [Samba] Enforcing filesystem permissions

2 matches

Site Navigation

Mail list logo

Footer information