The Samba-Bugzilla – Bug 1810
Suggeste rewording of man smb.conf: inherit acls, permissions
Last modified: 2010-04-26 03:40:20 UTC
Having encountered severe frustration, ambiguity and incorrect factual content
during my tries to understand inherit acls and inherit permissions sections of
man smb.conf, I am suggesting a hopefully clear and elegant rewording of them.
I am not sure if all details are correct. Please correct them if they are
inherit acls (S)
inherit permissions (S)
These two options control the processing of permissions of newly
created files or directories between client's request and actual
creation of the file/directory on the local filesystem.
The process begins with client asking (either implicitly or explicitly
Samba to create a file. The client always supplies a file permission
vector basically similar to plain UNIX permission bit vector. At the
end of the process, Samba calls appropriate system call which,
regardless of whether the filesystem is an ACL or plain old UNIX one,
requires a plain old UNIX permission string.
The resulting file's/directory's permissions or ACL is a result of
creating the file using underlying operating system call with
<em>mode</em> parameter resulting from process described below, and
with umask set to 0. See corresponding UNIX and ACL documentation for
the rules that apply.
Further, mode represents the permission string being gradually
1. mode is assigned what client asks us to create
2. if inherit permissions is set to "no", then certain permissions are
revoked from mode by application of create mask (for files) or
directory mask (for directories).
3. if inherit permissions is set to "no", then certain permissions are
granted into mode by application of force create mode (for files) or
force directory mode (for directories).
4. if inherit permissions is set to "yes" and the object to be created
is a directory, mode is set from parent directory's permissions
including bits such as setgid, but excluding setuid. Setuid is set to
5. if inherit permissions is set to "yes" and the object to be created
is a file, all bits including bits like setgid with exception of
execute and setuid bits are copied from parent directory. Setuid bit is
set to zero.
5. if inherit acls is set to "yes" and the filesystem is an ACL one and
the parent directory has a default acl, the mode is set to 0777. This
causes verbatim copy of default ACL to be propagated, as implies from
Now, the system call itself is called, with <em>mode</em> as parameter
and with umask set to 0.
SEE ALSO: man creat, open, mkdir, acl.
EMailed JRA for comment on this. I'll review later. - JHT
updating qa contact
John, is you still want to include it, please reopen the bug