Samba: forcing specific user:group & perms for copied files

Soukyuu · 2016-11-05 15:30:24

Since sshfs has failed me, I am now trying to setup a samba share that
- is working for both linux and windows clients ✓
- forces a certain group for newly created files ✓
- forces a certain group for copied files ✓
- forces rw- permissions for newly created files ✓
- forces rw- permissions for copied files

As you can see, I got pretty far already, but the last point is missing.
At the moment, they keep the permissions they have on the client's PC, e.g. on my linux PC that would be "rw-r--r--".

lahwaacz wrote:

Even when copied with cp --no-preserve=mode?

Yes.

I use the following for the share definition in my smb.conf:

[share]
  path = /data/Share
  read only = no
  valid users = @sambashare
  guest ok = no

  force group = sambashare

  create mask = 660
  force create mode = 660

  directory mask = 2770
  force directory mode = 2770

The share itself has it's local permissions set via setfacl to:

# file: data/Share
# owner: azure
# group: sambashare
# flags: -s-
user::rwx
group::rwx
other::---
default:user::rwx
default:group::rwx
default:other::---

I've also tried setting the "inherit permissions = yes" option, but that doesn't change the behavior in the slightest. The parent directory permissions should have been enforced, but they are not.

Any ideas/suggestions?

lahwaacz · 2016-11-05 21:35:21

I think you should first decouple the real problem from any networking thingy. As far as I can tell from the description of your setup here and in the linked thread, Samba is not involved at all - it's an ACL issue.

I'm sure you did some background research, but for completeness: there are many similar questions, mostly with misleading answers, but this one seems to be the culprit. I don't have a solution, but hope this helps.

Soukyuu · 2016-11-05 22:00:35

You might be right. I just tried copying a file to the share directory server-side (ssh) and it resulted in the wrong permissions, despite default ACLs being present.
But if that's the case then aren't the (default) ACLs useless? The usual use-case is copying/moving files, not creating them.

edit: I guess the explanation in your last link does make sense from the security standpoint, but it's an usability nightmare.
I'm speechless there seems to be no way to actually force certain permissions on linux.

Is the only solution really to write something like a timer script that fixes permissions server-side every x seconds?
Wow.

edit2: But wait, I do NOT have a "mask::r--" entry on that folder, or the test file I copied:

getfacl .
# file: .
# owner: azure
# group: sambashare
# flags: -s-
user::rwx
group::rwx
other::---
default:user::rwx
default:group::rwx
default:other::---

getfacl testfile
# file: testfile
# owner: azure
# group: sambashare
user::rw-
group::r--
other::r--

So it doesn't seem to be it.

Last edited by Soukyuu (2016-11-05 22:18:46)

Arch Linux

#1 2016-11-05 15:30:24

Samba: forcing specific user:group & perms for copied files

#2 2016-11-05 21:35:21

Re: Samba: forcing specific user:group & perms for copied files

#3 2016-11-05 22:00:35

Re: Samba: forcing specific user:group & perms for copied files

Board footer