LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 11-24-2010, 10:28 AM   #1
nass
Member
 
Registered: Apr 2006
Location: Athens, Greece
Distribution: slack(64|32)_v(13.37|14.0), debian6, ubuntu
Posts: 630

Rep: Reputation: 36
weird permissions in new folder created over samba when extended ACLS are used


Hello everyone,
i'm setting up a common public folder on a file server, but I seem to be getting some permission differently to what I expected.

The folder is /temp which is a separate drive. The fstab entry is:

Quote:
/dev/hda2 /temp xfs defaults 1 2
with permissions:

Quote:
root@halki:/# ls -l /
drwxrwsr--+ 9 root shares 4096 2010-11-24 17:52 temp/
.... (other results truncated)
and its extended ACLS are:

Quote:
root@halki:/temp# getfacl /temp/
getfacl: Removing leading '/' from absolute path names
# file: temp/
# owner: root
# group: shares
user::rwx
group::rwx
other::r--
default:user::rwx
default:group::rwx
default:group:users:r-x
default:mask::rwx
defaultther::r--
The 'shares' group is the default write group in /temp (I preffered to use something other than the 'users' group which is default for every new user).


additionally, smb.conf (samba set to 'share' mode) exports this folder to the network as:

Quote:
[temp]
comment = Temporary file space
path = /temp
read only = no
public = yes
force group = shares
inherit permissions = yes
inherit acls = yes
So I would expect that when I create a new subfolder within /temp from over the network,
it would inherit the permissions from /temp directly or at least from its default ACLs entries.

in contrast to that I get

Quote:
drwxrwsr-x+ 2 nobody shares 6 2010-11-24 18:24 test/
So the others get an execute permission too...

where does my train of thought fail me ?

thank you for your help!

EDIT: obviously I want the permissions to look like those of /temp folder. that is rwxrwxr--

Last edited by nass; 11-24-2010 at 10:30 AM.
 
Old 11-24-2010, 11:38 AM   #2
jcelle
LQ Newbie
 
Registered: Nov 2010
Location: Nowhere
Distribution: Debian
Posts: 16

Rep: Reputation: 2
Hi !
What about your "directory mask" in smb.conf ?
I have no way to test it now, but as it defaults to 755 it could be your problem.
 
1 members found this post helpful.
Old 11-24-2010, 12:00 PM   #3
nass
Member
 
Registered: Apr 2006
Location: Athens, Greece
Distribution: slack(64|32)_v(13.37|14.0), debian6, ubuntu
Posts: 630

Original Poster
Rep: Reputation: 36
well that would solve the problem, but i'm looking for the reasoning behind this...

default ACL for others is ---


it should count somewhere. shouldn't it?
 
Old 11-25-2010, 12:54 AM   #4
jcelle
LQ Newbie
 
Registered: Nov 2010
Location: Nowhere
Distribution: Debian
Posts: 16

Rep: Reputation: 2
A question puzzles me : Why would you give r-- right for others on your directory ? This will not even allow them to enter/read the directory as r-x is required for that. In fact, samba is doing fine in allowin r-x on your sub-folders as this really corresponds to a read-only setting. What about if you create a file instead ?
I really think you should manage this with the 'directory mask' and 'create mask' options in your share's parameters in smb.conf.
 
Old 11-25-2010, 03:08 AM   #5
nass
Member
 
Registered: Apr 2006
Location: Athens, Greece
Distribution: slack(64|32)_v(13.37|14.0), debian6, ubuntu
Posts: 630

Original Poster
Rep: Reputation: 36
actually you are correct. thought that others would be able to read from the folder (but not execute anything in it).

so there is no difference between --- and r-- for folders?

as for the directory mask of samba, indeed it solves the problem, BUT don't you agree that samba's permissions are ANDed with the directory permissions? So shouldn't the sambas dir 755 be ANDed with the default ACLs (which are there to be inherited) 774 of /temp? that should end up giving subfolder permissions of 754. Instead I get 775...and that seems odd to me

Creating a new file over samba however I get the expected behaviour. Ie. file permissions are 774...
 
Old 11-26-2010, 12:31 AM   #6
jcelle
LQ Newbie
 
Registered: Nov 2010
Location: Nowhere
Distribution: Debian
Posts: 16

Rep: Reputation: 2
Hi,

The cause is the 'inherit acls' parameter you set to yes. Quoting from the samba documentation,
Quote:
This parameter can be used to ensure that if default acls exist on parent directories, they are always honored when creating a new file or subdirectory in these parent directories. The default behavior is to use the unix mode specified when creating the directory. Enabling this option sets the unix mode to 0777, thus guaranteeing that default directory acls are propagated.
.

It seems you cannot do without setting the 'directory mask' parameter.
As for the 'r--' permission on a folder, it has the same effect as '---' indeed. But I wouldn't say this is equal as the read permission is set so it could lead to some undetermined leak.

Hope this helps.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Applying default permissions for newly created files within a specific folder mattydee Linux - Desktop 28 06-01-2011 02:58 PM
cant able to edit files which are created in samba shared folder raghoos666 Linux - Server 12 10-13-2010 08:04 AM
ACLs: Extended file-permissions reptiler LinuxAnswers Discussion 0 07-27-2009 01:30 PM
LXer: ACLs: Extended file-permissions LXer Syndicated Linux News 0 07-19-2009 07:30 PM
Automatically set permissions of new files created within a specific folder Lorian Linux - Desktop 2 03-03-2007 03:17 PM


All times are GMT -5. The time now is 01:30 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration