Bug #2039
Samba: file permissions not inherited when POSIX ACL is present
Status: | CLOSED | Start date: | 07/01/2013 | |
---|---|---|---|---|
Priority: | Normal | Due date: | 07/02/2013 | |
Assignee: | - | % Done: | 100% | |
Category: | nethserver-samba | |||
Target version: | v6.4-beta2 | |||
Security class: | Resolution: | |||
Affected version: | v6.4-beta1 | NEEDINFO: | No |
Description
Step to reproduce
- Install nethserver-ibays-2.0.0, nethserver-samba-1.2.1
- Create user1 and group1 (user1 set as member)
- Create a "pub" ibay, with group1 as owner (write permissions)
- Upload a file
File permissions are inherited (0660) correctly. But if a POSIX ACL is set on the pub/ directory after a file has been transferred into "pub" folder, NT_STATUS_NOT_FOUND error is returned and POSIX ACL on the file is
# getfacl /var/lib/nethserver/ibay/pub/COPYING getfacl: Removing leading '/' from absolute path names # file: var/lib/nethserver/ibay/pub/COPYING # owner: root # group: group1 user::rwx user:nobody:r-x #effective:r-- group::rwx #effective:r-- mask::r-- other::---
To set an ACL, for instance, you can grant read only
access to guest users in from Shared folder UI module.
Associated revisions
/etc/samba/smb.conf template (ibay-default/20profile_default): Add group write bit to default create mask. Refs #2039
/etc/samba/smb.conf: Fixed "value is not boolean!" warning. Comments must begin a line. Refs #2039
History
#1 Updated by Davide Principi about 8 years ago
- Description updated (diff)
NOTE: To set an ACL, for instance, you can grant read only
access to guest users in from Shared folder UI module.
#2 Updated by Davide Principi about 8 years ago
- Due date set to 07/02/2013
- Status changed from NEW to TRIAGED
- Assignee set to Davide Principi
- Start date set to 07/01/2013
- % Done changed from 0 to 20
- Estimated time set to 6.00
#3 Updated by Davide Principi about 8 years ago
- Status changed from TRIAGED to ON_DEV
- % Done changed from 20 to 30
Seems that create mask
parameter affects the permission mask despite inherit permissions = Yes
and the smb.conf
man page:
inherit permissions (S)
The permissions on new files and directories are normally governed by
create mask, directory mask, force create mode and force directory mode
but the boolean inherit permissions parameter overrides this.
See also create mask (S)
On samba.org website create mask is described differently:
http://www.samba.org/samba/docs/using_samba/ch08.html#samba2-CHP-8-TABLE-2
create mask
Maximum permissions for files created by Samba
Possible solution:
By setting create mask = 0764
file permissions are set correctly.
#4 Updated by Davide Principi about 8 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 70
#5 Updated by Davide Principi about 8 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Davide Principi) - % Done changed from 70 to 80
In nethserver-testing:
nethserver-samba-1.3.4-1.ns6.noarch.rpm
#6 Updated by Davide Principi about 8 years ago
- Assignee set to Davide Marini
Test case 0
Please, verify the test cases 1 and 1b fail with nethserver-samba < 1.3.4
- test case 1 should succeed
- test case 1b should fail
Test case 1
- Install nethserver-ibays = 2.0.0, nethserver-samba = 1.3.4
- Create user1 and group1 (user1 set as member)
- Create an ibay "test1", with group1 as owner (write permissions). Don't enable any service or additional ACL on it!
- Upload a file through
smbclient
The upload should be OK
Test case 1b
- Create an ibay "test2", with group1 as owner (write permissions). Enable guest access read permission (to set some POSIX ACLs on the shared folder).
- Upload a file through
smbclient
The upload should be OK
#7 Updated by Davide Principi about 8 years ago
Please note,
Davide Principi wrote:
Test case 0
Please, verify the
test cases 1 and 1b failwith nethserver-samba < 1.3.4
test case 1 should succeed
test case 1b should fail
#8 Updated by Davide Principi about 8 years ago
A small syntax fix for smb.conf that does not alter the previous configuration...
In nethserver-testing:
nethserver-samba-1.3.5-1.ns6.noarch.rpm
#9 Updated by Davide Marini about 8 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 80 to 100
Now it works
#10 Updated by Davide Principi about 8 years ago
- Assignee deleted (
Davide Marini)
Can't release this package until other nethserver-samba
tests are completed
#11 Updated by Davide Principi about 8 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
Moved to nethserver-updates repository