samba: invalid permissions on directory '/usr/local/samba/private/msg.sock': has 0750 should be 0700
samba: [2018/04/24 13:45:11.964634, 0] ../lib/util/become_daemon.c:124(exit_daemon)
This is because I use ACLs to allow a backup operator to read the content with a default inheritance mask.
# file: msg.sock
# owner: root
# group: root
Because of the complexity of posix acl management, it's very hard to manage and exclude these.
A better behaviour from samba would be to determine if ACL's are present and then ignore the group setting - alternately, don't *check* the group bits because the file is owned root:root, so it's effectively the same as 700 anyway.
It looks like even if you fix this single ACL, setting ACL's at all breaks the LDAP process and other components from starting.
I have to admit this is going to be very fiddly to fix. What we have right now is simple and safe, and yours is a semi-unusual case.
(In reply to Jeremy Allison from comment #2)
You know, I don't think that's the case. Rather than looking at this as a technical issue look at it from a usability view.
The idea of this behaviour is to prevent data leaks or incorrect permissions, by preventing the service starting (effectively an alarm system).
If root:root owns the files then because root user is effectively the same as root group, then it should only matter that the ownership is correct - not the permission bits themself. The only permission bit that matters is the "everyone else" bit in that case.
So there are two solutions:
* One is to remove the check. This is an attempt at an alarm system to prevent a file/data disclosure due to an administrative mistake - when perhaps the admin has an intent we don't understand (like this situation).
* Fix the check to assert ownership is root:root *only*. From there check only the "everyone" bit.
I think you would probably prefer the second solution. The benefit to this is that when you add posix ACLs, because they convert the group bit into the effective rights mask, but the root:root ownership stays the same. This would allows ACLs to work and samba can happily alarm if the "everyone" permission is too broad.
A prime case for removal of the check is containerisation, because you often won't have root permissions in the container, you'll get a randomised uid/gid pair. The security there comes from the namespacing, not the permission bits themself. So this is a reason to remove the check so that samba can be started as "non-root".