I wanted to use the dos filemode option to allow group members with write access to a file/dir to add/change permissions (system: debian etch, samba 3.0.24). [testshare] printable = no comment = Testshare browseable = no writable = yes map archive = no map hidden = no map system = no map readonly = no dos filemode = yes store dos attributes = yes ea support = yes inherit permissions = yes inherit acls = Yes map acl inherit = Yes path = /test/testshare (I've added 'ea support' for testing, it makes no difference yet) Now inside a directory of this share: # ls -la drwxr-s---+ 5 mh users 61 2008-02-08 16:08 . drwxrwx---+ 6 jm jm 65 2008-02-11 11:20 .. drwxr-s---+ 2 mh users 6 2008-02-08 16:08 test # getfacl test/ # file: test # owner: mh # group: users user::rwx group::r-x group:users:r-x mask::r-x other::--- Now as a user that has read access (r-x) to the both directories (group users) I'm able to add permissions for the user al from windows explorer to the test directory. # getfacl test/ # file: test # owner: mh # group: users user::rwx user:al:r-x <----- added user group::r-x mask::rwx other::--- default:user::rwx default:user:al:r-x <---- added user default:group::--- default:mask::rwx default:other::--- Now how is this possible? I thought the 'dos filemode' option would only work if a member of the group users has write access to a file. If I set 'dos filemode = no' I'm not able to add or change permissions. Note: there is a reference to the depricated 'acl group control' option in the man page. acl group control (S) In a POSIX filesystem, only the owner of a file or directory and the superuser can modify the permissions and ACLs on a file. If this parameter is set, then Samba overrides this restriction, and also allows the primary group owner of a file or directory to modify the permissions and ACLs on that file. The reference to the primary group (which is not mentioned in the dos filemode part of the man page) might be the key to the to this problem. Ralf
Is there any chance that somebony will look at this bug report? I tried something different. Goal is that group members with write access to a file or dierctory are able to change permissions and give new users access to a directory or file. This group should _not_ necessarily be the owning group. Because the 'dos filemode' option is _not_ working as documented, I need a workaround. So I thought about setting the owning unix group with the gid bit to a group where no user is member of (test-admin). And add an other group with write access (erv), thinking that members of this group will then be able to change the permission (dos filemode = yes). I tried different additional setting in my smb.conf, but none gives me the expected result. Still, only the owner or members of owning group can change permission. But not in all cases it's desired that the owning group is able to change permissions, because from windows this owning group can't be changes (AFAIK). It's possible that a user wants to create a private directory in a share, where only a subset of users have access to. So if someone creates a new directory or file there is no way for him to forbit the owing group to set/change permissions on this new file (with dos filemode enabled). Thus members of this group can always set rwx permissions, even if the owner removed all permissons before. from the docs: dos filemode Enabling this parameter allows a user who has write access to the file (by whatever means) to modify the permissions (including ACL) on it. example: # file: test # owner: ralfgro # group: test-admin user::rwx group::--- group:erv:rwx mask::rwx other::--- default:user::rwx default:group::--- default:group:erv:rwx default:mask::rwx default:other::--- [testshare] printable = no comment = Testshare browseable = no writable = yes dos filemode = yes store dos attributes = yes ea support = yes #inherit permissions = yes inherit acls = Yes #acl map full control = False map acl inherit = Yes map archive = no map hidden = no map system = no map readonly = no path = /server/projekte/test/testshare
I think this bug can be fixed by the patch in bug #5202 I posted and set "acl group control = No" (default) in smb.conf.
Closing out bug report as the patch fixes the problem. Please re-open if it is still an issue for you. Thanks for reporting!