Hello, When vfs_fruit is enabled on a share and "inherit permissions = yes", when new files and directories are created by a Macintosh "other" is able to read the file or directory, even when "other" has no read (write or execute) permission on the parent directory. Windows and Linux create new files and directories with "other" having no read (write or execute) permissions, just like parent directory. If vfs_fruit is off, the Macintosh creates files and directories with the same permissions files/dirs created by Windows and Linux. I believe vfs_fruit has a bug in the permissions it gives new files/directories which leads to the files/dir being world readable. Macintosh used was running "El Capitan" 10.11.6 . Example file listing: vfs_fruit On: drwxrwx---+ 1 smbadmin smbadmin 326 Nov 18 09:57 . drwxr-xr-x 1 root root 22 Nov 18 09:48 .. -rwxrwx---+ 1 cwseys cwseys 0 Nov 18 09:55 createdOnLinuxWithFruit -rw-rwxr--+ 1 cwseys cwseys 358 Nov 18 09:51 createdOnMacWithFruit.rtf -rwxrwx---+ 1 cwseys cwseys 0 Nov 18 09:57 createdOnWinWithFruit.txt drwxrwx---+ 1 cwseys cwseys 0 Nov 18 09:55 folderOnLinuxWithFruit drwxrwxr-x+ 1 cwseys cwseys 0 Nov 18 10:15 folderOnMacWithFruit drwxrwx---+ 1 cwseys cwseys 0 Nov 18 09:57 folderOnWinWithFruit vfs_fruit off: drwxrwx---+ 1 smbadmin smbadmin 454 Nov 18 10:19 . drwxr-xr-x 1 root root 22 Nov 18 09:48 .. -rwxrwx---+ 1 cwseys cwseys 0 Nov 18 10:18 createdOnLinuxNoFruit -rwxrwx---+ 1 cwseys cwseys 368 Nov 18 09:53 ._createdOnMacNoFruit.rtf -rwxrwx---+ 1 cwseys cwseys 358 Nov 18 09:51 createdOnMacNoFruit.rtf -rwxrwx---+ 1 cwseys cwseys 0 Nov 18 10:19 createdOnWinNoFruit.txt # getfacl . # file: . # owner: smbadmin # group: smbadmin user::rwx user:cwseys:rwx group::rwx group:cwseys:rwx mask::rwx other::--- default:user::rwx default:user:cwseys:rwx default:group::rwx default:group:cwseys:rwx default:mask::rwx default:other::--- # Global parameters [global] realm = PHYSICS.WISC.EDU server string = %h server workgroup = PHYSICS max log size = 100000 syslog = 0 panic action = /usr/share/samba/panic-action %d kerberos method = secrets and keytab map to guest = Bad User security = ADS server signing = required hostname lookups = Yes dns proxy = No idmap config * : backend = tdb [fruit] path = /srv/fruit ea support = Yes inherit acls = Yes inherit permissions = Yes read only = No vfs objects = btrfs catia fruit streams_xattr Thanks for all your work! C.
Hi Ralph, [from samba mailing list] > it's a global option. Have you put it in the global or a share section? Thanks for the hint! After putting it in the global options the create mode mimics the parent directory as one would expect from " inherit permissions = yes inherit acls = yes " If possible it would be less dangerous (securitywise) not to have fruit:nfs_aces setting interact with 'inherit permissions' and 'inherit acls'. Or at least the default setting of nfs_aces should not interact with a big warning/explanation of how changing to nfs_aces = yes will interact. Thanks again! Chad.