Samba – Default File Creation Mask Calculation

permissionssamba

Hi I have a question I dont seem find a relevant answer. The situation is that I set samba server and trying to create a file and folder from a windows machine. Everything works as expected but there is the small trouble that samba removes x bit from group and others on file. A simple example code:

drwx--x--x.   4 root root  4096 Dec 13 20:01 smb
drwxrwx--x. 2 root amikon 4096 Dec 15 22:17 pokus

[pokus]
path = /smb/pokus
public = no
writable = yes
valid users = @amikon

[root@wserver pokus]# ls -l
drwxr-xr-x. 2 vanek amikon 4096 Dec 21 10:14 dir
-rwxr--r--. 1 vanek amikon    0 Dec 21 10:14 file.txt

From many experiments I did I got the understanding that while creating an entry (file or dir) from windows samba performes logical AND from default mask and rights coming from windows machine. This behavior can be more or less influent by using create mask and force create mode (and the other set for dirs) – works as expected with no problem at all.

I found out that the problem of missing 0011 persist regardles using create mask 755 – the x bits are still removed from file. The only option is to use force create mode 755. After that bits stays cuz OR ads them.

I have tested other create mask options and seems to be that 0011 from file is removed everytime. 755, 777, 333 … so it looks like it could be some protection mechanism removing x from group and others preventing scripts being execute bo nobody but owner????

But my question is about the exact example above. Why there is d755 but -744 as the result. Where exactly the magic of losing 0011 hapened?

Thank much for any hints.

Best Answer

The magic of losing 0011 happens because it is the default Samba behaviour.

Extract from the doc:

Create mask : The default value of this parameter removes the group and other write and execute bits from the UNIX modes

Default: create mask = 0744

Here is the link : http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html

Search for create mask (S)

In this doc, Samba team does not explain why they choose to implement this default behaviour, but to me it's easy to think about a security mechanism (as you mentioned).

You can use the inherit permissions = yes directive to make a new file inherit its parent folder permission, but this will not affect the x bit. So, in your case, this will render :

-rwxrw-r--. 1 vanek amikon    0 Dec 21 10:14 file.txt

Also, as you said, to change this behaviour you will have to explicitly define your own mask. Now, the main difference between "create" and "force create" is that :

create mask takes permissions away (an AND mask)
force create mode adds them after that (an OR mask)

Also create mask is not able to deal with x bit for group and others.

So, you may need to deal with both directive to reach some goals.

Let's try some samples :

1) If you only want the x bit for group and others you will have to combine :

create mask = 0700 #Remove r bit from group and others 
force create mode = 0711 #Add x bit only to group and others

Result : -rwx--x--x 1 kris kris 0 Dec 21 14:20 file.txt

2) If you want the r and x bits for group and others, remove create mask directive (because default is already 0744) and just add :

    ;create mask = 0700 #remove r bit from group and others (commented)
    force create mode = 0711 #Add x bit only to group and others

Result : -rwxr-xr-x 1 kris kris 0 Dec 21 14:17 file.txt

And so on...

Hope it helps you a bit to understand Samba behaviours.

Related Solutions

Samba Permissions – I’m going to throw it!

This might help. I do something similar, but only one share is open to the group's users. Other shares are read-only except for a single maintainer user. The [global] section of my smb.conf is almost identical to yours, except I don't use the force create/directory mode directives (in my case, they'd interfere with the other shares).

Here's the share definition:

[shared stuff]
        comment = blah, blah, etc
        path = /path/to/share
        write list = @sambagroup
        force group = +sambagroup
        read only = yes
        directory mask = 0775
        create mask = 0664
        guest ok = yes
        invalid users = root
        case sensitive = True
        default case = lower
        preserve case = yes
        short preserve case = yes

The important stuff here are these:

read only = yes -- by default, read only.
guest ok = yes -- guests can browse.
write list = @sambagroup -- Authenticated members of sambagroup can write.
force group = +sambagroup -- The + means that the force only applies to existing members of sambagroup. They're already the only ones who can write. I think, without the +, guest is given sambagroup credentials, which is not wanted (particularly with the write list directive above).
directory mask = 0775
create mask = 0664

These do exactly what you want yours to do: "drwxrwxr-x" on directories, "rwxrwxr-x" on files, and newly created files are owned by the user and sambagroup. The maintainers of the other shares get the same permissions as everyone else when working in shared stuff, and permissions & groups are normal when they work in the other shares.

My smb.conf has been working with only minor tweaks through several different versions of Samba, and currently is used with Samba 3.2.5. I never had it running on Ubuntu 8.04, but it ran on Ubuntu 7.04 for a long time before getting migrated to a recent Debian Lenny install.

Windows – Problem modifying read-only files on Samba NAS

You should export the project, not delete the .svn folders. See: http://svnbook.red-bean.com/en/1.0/re10.html

Edit: delete readonly = yes added to the share entry in samba configuration is fixing the problem of deleting folders that contain read only files. Thanks to @Felix Dombek

Best Answer

Related Solutions

Samba Permissions – I’m going to throw it!

Windows – Problem modifying read-only files on Samba NAS

Related Topic