Bug 7492 - create mask and force create mode ignored when creating new files
Summary: create mask and force create mode ignored when creating new files
Alias: None
Product: Samba 3.4
Classification: Unclassified
Component: Config Files (show other bugs)
Version: 3.4.6
Hardware: x64 Linux
: P3 normal
Target Milestone: ---
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
Depends on:
Reported: 2010-06-04 05:23 UTC by Srdjan Todorovic
Modified: 2010-06-16 10:52 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Srdjan Todorovic 2010-06-04 05:23:15 UTC
When mounting cifs share in Linux, and creating a new file (using touch etc), the permissions are set to 644, even though the config files attempts to force to 660.

        comment = Shared Data
        inherit acls = No
        path = /home/data
        read only = No
        force group = "Domain Users"
        create mask = 0660
        directory mask = 770
        force create mode = 0660
        force directory mode = 0770

umask seems to affect this behaviour, which is unexpected as Samba should be mangling the umask and/or permission bits when file I/O is carried out via CIFS/SMB.

Creation of new directories are working as expected - new dirs have permission bits set to 770.
Comment 1 Srdjan Todorovic 2010-06-04 05:53:14 UTC
Disabling unix extensions causes the files to be owned by root:root, with permissions set to -rwxrwSrwx. This seems to be too excessively open.
Comment 2 Karolin Seeger 2010-06-11 02:27:47 UTC
Jeremy, could you please comment on this one?
Comment 3 Jeremy Allison 2010-06-15 13:28:27 UTC
When CIFSFS is creating files, it creates the file then sets the mode bits. The problem is you are only restricting the create operation, not the mode setting operation. In order to restrict the mode setting operation, check out the documentation in smb.conf for the parameters:

force security mode
security mask
force directory security mode
directory security mask

Comment 4 Srdjan Todorovic 2010-06-16 10:52:10 UTC
Thanks Jeremy - you are correct.

Managed to fix this by setting these for the share:

        create mask = 0660
        force create mode = 0660
        security mask = 000
        force security mode = 660
        directory mask = 0770
        force directory mode = 0770
        directory security mask = 000
        force directory security mode = 770

What would be nice, is to have a single config option as an alias for this.