Web lists-archives.com

Re: [Samba] Samba-created files with POSIX ACLs gaining execute bit




Hi all,

The part that I don’t understand is why the behavior is different when there are ACLs involved.

Take the below example:

# This share is chmod 777, 
[share1]
path = /srv/share1 # mode is 0777, no ACLs
readonly = no
create mask = 0660

[share2]
path = /srv/share2 # mode is 0770, ACLs
readonly = no
inherit acts = yes
create mask = 0660

share1 acts exactly as expected — I get a 0660 permissions.

[root@samba share1]# pwd && ls -l
/srv/share1
total 0
-rw-rw---- 1 christian root 0 Dec 19 19:17 file

share2, gets 0770 permissions only because there are ACLs applied on the file.

[root@samba share2]# pwd && ls -l
/srv/share2
total 0
-rwxrwx---+ 1 christian root 0 Dec 19 19:17 file

I don’t understand how the execute bit is necessary to map functionality when ACLs are present and not when using traditional Unix permissions — if anything the reverse makes more sense.

This bug report appears to identify exactly where in the code the phenomenon arises from:  https://bugzilla.samba.org/show_bug.cgi?id=12716 <https://bugzilla.samba.org/show_bug.cgi?id=12716>

If this is in fact expected behavior it would be good to document as there seems to be a decent amount of confusing resulting.

Christian

> On Dec 18, 2018, at 12:28 AM, L.P.H. van Belle via samba <samba@xxxxxxxxxxxxxxx> wrote:
> 
> These are the latests.. And the Why, Andrew already explain. 
> Due to the mappings with windows acls. 
> 
> If the exec bit is missing, no windows programm will be allowed to start of a share. 
> If i download an msi file to install and put it on a share, its not allowed to execute it. 
> Which is exact what i want in my case. 
> 
> You might want to read
> https://www.snia.org/sites/default/files/SDC/2016/presentations/smb/Jeremy_Allison_SMB3_and_Linux_A_Seamless_File_Sharing_Protocol.pdf
> https://sambaxp.org/archive_data/media/05-Andreas-Gruenbacher_-_Linux_Samba_and_ACLs.pdf 
> 
> These might help you a bit in understanding that what you want is not always possible..
> 
> Greetz, 
> 
> Louis
> 
> 
> 
>> -----Oorspronkelijk bericht-----
>> Van: christian russell [mailto:christian.baltini@xxxxxxxxx] 
>> Verzonden: dinsdag 18 december 2018 9:02
>> Aan: L.P.H. van Belle
>> CC: samba@xxxxxxxxxxxxxxx
>> Onderwerp: Re: [Samba] Samba-created files with POSIX ACLs 
>> gaining execute bit
>> 
>> Hi Louis,
>> 
>> Those were the docs I initially followed.  I don’t see any 
>> mention in them as to why one would expect unusual (in Unix 
>> terms) execute permission values.
>> 
>> If anybody could point me towards documentation of the 
>> expected permission behavior (esp. with POSIX ACLs) of modern 
>> Samba I would greatly appreciate it.
>> 
>> Christian
>> 
>>> On Dec 17, 2018, at 11:47 PM, L.P.H. van Belle via samba 
>> <samba@xxxxxxxxxxxxxxx> wrote:
>>> 
>>> 
>>> Hai, 
>>> 
>>> The docs shown are a bit old, yes, i suggest start reading these. 
>>> 
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Wind
>> ows_ACLs 
>>> 
>>> 
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs 
>>> 
>>> Look at the smb.conf man and search for acl ( or exec ) 
>>> 
>>> 
>>> Greetz, 
>>> 
>>> Louis
>>> 
>>> 
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
>>>> christian russell via samba
>>>> Verzonden: dinsdag 18 december 2018 4:59
>>>> Aan: Andrew Bartlett
>>>> CC: samba@xxxxxxxxxxxxxxx
>>>> Onderwerp: Re: [Samba] Samba-created files with POSIX ACLs 
>>>> gaining execute bit
>>>> 
>>>> I figured something as much but all the docs I found pointed 
>>>> to the archive, hidden, and readonly attributes touching the 
>>>> execute bits (see here, for example: 
>>>> https://www.samba.org/samba/docs/using_samba/ch08.html#samba2-
>>>> CHP-8-FIG-2 
>>>> <https://www.samba.org/samba/docs/using_samba/ch08.html#samba2
>>>> -CHP-8-FIG-2>).  That’s why I disabled those mappings in my 
>>>> smb.conf.  Granted the docs I found were older — is this 
>>>> handled differently nowadays?
>>>> 
>>>> In any event is there some way to prevent this behavior so I 
>>>> get sane permissions within the *nix environment?
>>>> 
>>>> Thanks very much for your response.
>>>> 
>>>> Christian
>>>> 
>>>>> On Dec 17, 2018, at 7:02 PM, Andrew Bartlett 
>>>> <abartlet@xxxxxxxxx> wrote:
>>>>> 
>>>>> On Mon, 2018-12-17 at 18:56 -0800, christian russell via 
>>>> samba wrote:
>>>>>> Hi all,
>>>>>> 
>>>>>> I have a Samba share set up using POSIX ACLs as the 
>>>> permissions backend.  I am seeing an issue where files 
>>>> created via the Samba get execute permissions whereas files 
>>>> created via shell do not.  
>>>>> 
>>>>> Samba maps the windows execute permission to the posix 
>> one, which is
>>>>> why this happens.
>>>>> 
>>>>> Andrew Bartlett
>>>>> 
>>>>> -- 
>>>>> Andrew Bartlett
>>>>> https://samba.org/~abartlet/
>>>>> Authentication Developer, Samba Team         https://samba.org
>>>>> Samba Development and Support, Catalyst IT   
>>>>> https://catalyst.net.nz/services/samba
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>> 
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>> 
>>> 
>>> 
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>> 
>> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba