Bug 8332 - Wrong behaviour for default ACLs
Wrong behaviour for default ACLs
Status: RESOLVED DUPLICATE of bug 10792
Product: Samba 3.4
Classification: Unclassified
Component: File services
3.4.7
All Linux
: P5 normal
: ---
Assigned To: Volker Lendecke
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-07-28 11:36 UTC by g.w1
Modified: 2014-09-04 10:54 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description g.w1 2011-07-28 11:36:45 UTC
I have a Default ACL like this set up on my ext3-Filesystem:

sudo setfacl -R -d -m u::rwx,g::rwx,g:privusers:rwx,o::- data

getfacl looks like this:

# file: data/
# owner: lobo
# group: privusers
user::rwx
group::rwx
group:privusers:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:privusers:rwx
default:mask::rwx
default:other::---


when I now create a directory directly on the filesystem (without samba) the acl is correctly applied and inherited:

mkdir test
getfacl test

# file: test/
# owner: lobo
# group: users
user::rwx
group::rwx
group:privusers:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:privusers:rwx
default:mask::rwx
default:other::---


when I create a file inside this folder in directly on the server, the acl works as expected:

touch test/testfile
getfacl test/testfile
# file: test/testfile
# owner: lobo
# group: users
user::rw-
group::rwx                      #effective:rw-
group:privusers:rwx             #effective:rw-
mask::rw-
other::---


but when I create a file on my mounted folder on Windows 7 the acl looks like this:

getfacl test/testwindows
# file: test/testwindows
# owner: grmuser
# group: privusers
user::rwx
group::rwx
group:privusers:rwx
mask::rwx
other::---

so everybody gets unnecessary X-permissions


my Samba-Config looks like this:

[grmdata]
path = /media/grmdata/smbshare
public = no
comment = grm-files
inherit permissions = Yes
inherit acls = Yes
available = yes
browseable = yes
guest ok = no
writable = yes
valid users = grmuser popcorn
read list = popcorn
vfs objects = /usr/lib/samba/vfs/recycle.so
                        recycle:repository=.recycle
                        recycle:versions=True
                        recycle:touch=True
                        recycle:keeptree=True
                        recycle:exclude=*.tmp|*.temp|*.o|*.obj|~$*
                        recycle:exclude_dir=/tmp|/temp|/cache
                        recycle:directory_mode=750
Comment 1 Paul Barker 2012-08-28 13:04:54 UTC
I have this exact problem: With ACLs enabled, files are being created with mode 0670 despite the create mask being 0660. This results in the ACL 'mask::rwx' and the execute bit being set where it shouldn't be.

This bug also appears to be a duplicate of bug 6042.

This is a fresh install of Openfiler ESA 2.99.1 running Samba 3.5.6.

Here is my samba config as displayed by testparm:

[global]
        workgroup = BETAFIVE
        realm = BETAFIVE.CO.UK
        server string = Openfiler NAS
        security = ADS
        map to guest = Bad User
        obey pam restrictions = Yes
        password server = 192.168.0.40
        guest account = ofguest
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
        unix password sync = Yes
        log file = /var/log/samba/%m.log
        max log size = 0
        load printers = No
        os level = 0
        local master = No
        domain master = No
        idmap uid = 16777216-33554431
        idmap gid = 16777216-33554431
        template homedir = /mnt/vg0/users/users/%U
        template shell = /sbin/nologin
        winbind cache time = 15
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        create mask = 0660
        force create mode = 0660
        security mask = 0660
        directory mask = 0770
        force directory mode = 0770
        directory security mask = 0770
        map archive = No

[users]
        comment = users
        path = /mnt/vg0/files/users
        read only = No
        hosts allow = 192.168.0.0/24
        veto files = /*:Zone.Identifier:*/
        veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF/

Any further details can be provided on request.
Comment 2 Björn Jacke 2014-09-04 10:54:24 UTC

*** This bug has been marked as a duplicate of bug 10792 ***