Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] File permissions and Unix umask.

290 views
Skip to first unread message

Gerry Marthe

unread,
Oct 8, 2008, 10:10:14 AM10/8/08
to
Hi,

I have a question about file permissions and how they are affected by a
client's umask.

To illustrate my question, I issued the following commands first on a
local ext3 file system and
then on a cifs file system:

$ umask 0002
$ touch f1
$ echo xx > f2
$ umask 0022
$ touch f3
$ echo xx > f4
$ ls -l

On Ext3, the output is:

-rw-rw-r-- 1 abdv29 users 0 Oct 9 00:31 f1
-rw-rw-r-- 1 abdv29 users 3 Oct 9 00:31 f2
-rw-r--r-- 1 abdv29 users 0 Oct 9 00:31 f3
-rw-r--r-- 1 abdv29 users 3 Oct 9 00:31 f4

On a CIFS mount the output is:

-rw-rw-r-- 1 abdv29 users 0 Oct 9 00:35 f1
-rw-rw-r-- 1 abdv29 users 3 Oct 9 00:35 f2
-rw-r--r-- 1 abdv29 users 0 Oct 9 00:35 f3
-rw-rw-r-- 1 abdv29 users 3 Oct 9 00:35 f4

The relevant section from smb.conf on the samba server is:

[common]
comment = Common Area
path = /common
read only = no
valid users = @users
create mask = 0660
force create mode = 0660
force directory mode = 775
write list = @users
force group = users
directory mask = 0775

The share is mounted on a Linux system with the following command:

mount.cifs //localhost/common /mnt/smb -o
rw,uid=600,gid=504,user=abdv29,password=*******

>From what I have understood of the samba documentation, the various file
creation masks specified
by Samba do not override a client umask.

If that is so, I would expect that the permissions for file "f4" on the
cifs mount should be 644
(rw-r--r--) rather than 664 which it is.

Can someone please explain why on the CIFS mount, with a umask of 0022,
files created with "touch"
and "echo" end up with different group permissions? (Noting of course
that on a non CIFS file system,
these commands produce files with identical permissions).

The above seems inconsistent to me. My aim is to have a Samba share on
which all files created
will be group writable - I expect to have Windows users, Mac users and
Linux users. I would rather not
have to ask all the Mac and Linux users to change their umasks to
0002 ... or is this the only
solution?

I am using Samba version 3.2.3-0.20 on Fedora 9.

Thanks in advance.

Gerry.

------------------------------------------------------------

This message has been scanned for viruses and dangerous content
by MailScanner and is believed to be clean.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Jeremy Allison

unread,
Oct 8, 2008, 2:50:12 PM10/8/08
to
On Thu, Oct 09, 2008 at 12:58:41AM +1100, Gerry Marthe wrote:
>
> The relevant section from smb.conf on the samba server is:
>
> [common]
> comment = Common Area
> path = /common
> read only = no
> valid users = @users
> create mask = 0660
> force create mode = 0660
> force directory mode = 775
> write list = @users
> force group = users
> directory mask = 0775
>
> The share is mounted on a Linux system with the following command:
>
> mount.cifs //localhost/common /mnt/smb -o
> rw,uid=600,gid=504,user=abdv29,password=*******
>
> >From what I have understood of the samba documentation, the various file
> creation masks specified
> by Samba do not override a client umask.

You understood wrong. The server setting override all client
requests. That's why they're *force* create mode.

Jeremy.

Gerry Marthe

unread,
Oct 8, 2008, 8:20:06 PM10/8/08
to
Hi Jeremy,

Thanks - that does make sense.
Can you tell me then why "/bin/touch" appears immune to the Samba
settings?

Gerry.

On Wed, 2008-10-08 at 11:48 -0700, Jeremy Allison wrote:
> On Thu, Oct 09, 2008 at 12:58:41AM +1100, Gerry Marthe wrote:
> >
> > The relevant section from smb.conf on the samba server is:
> >
> > [common]
> > comment = Common Area
> > path = /common
> > read only = no
> > valid users = @users
> > create mask = 0660
> > force create mode = 0660
> > force directory mode = 775
> > write list = @users
> > force group = users
> > directory mask = 0775
> >
> > The share is mounted on a Linux system with the following command:
> >
> > mount.cifs //localhost/common /mnt/smb -o
> > rw,uid=600,gid=504,user=abdv29,password=*******
> >
> > >From what I have understood of the samba documentation, the various file
> > creation masks specified
> > by Samba do not override a client umask.
>
> You understood wrong. The server setting override all client
> requests. That's why they're *force* create mode.
>
> Jeremy.
>
>

> ------------------------------------------------------------
>
> This message has been scanned for viruses and dangerous content
> by MailScanner and is believed to be clean.
>

------------------------------------------------------------

This message has been scanned for viruses and dangerous content
by MailScanner and is believed to be clean.

--

Jeremy Allison

unread,
Oct 8, 2008, 8:30:12 PM10/8/08
to
On Thu, Oct 09, 2008 at 11:18:49AM +1100, Gerry Marthe wrote:
> Hi Jeremy,
>
> Thanks - that does make sense.
> Can you tell me then why "/bin/touch" appears immune to the Samba
> settings?

If you can make the CIFS client violate the
"forced" settings on the Samba server that's
a server bug and I'll fix it.

Can you give me a specific example of this
happening (with Samba and CIFSFS version numbers
please) ?

Jeremy.

Gerry Marthe

unread,
Oct 8, 2008, 10:30:13 PM10/8/08
to
Yes Jeremy, it seems that I can make the CIFS client violate the
"forced" settings on the Samba server.

Specific example:

/* As root, issue the following mount command from client. */

mount.cifs //10.0.1.5/common /mnt/smb -o
rw,uid=500,user=abdv29,password=*******

/* Switch user to "abdv29" */
su - abdv29

/* Change directory to where the CIFS filesystem is mounted. */

cd /mnt/smb

/* Set umask */
umask 0022

/* Create a couple of files using "touch" and "echo". */

touch f1
echo "xx" >f2

/* On a local EXT3 filesystem, I would expect the two files
created above to each have the following symbolic permission:
"rw-r--r--" and this is indeed so.
On the CIFS mount, I would expect the "force create mode" to
override the umask in both cases, giving symbolic permission of:
"rw-rw-r--"
This is so only for the file named "f2" created with
"/bin/echo". The file created with "/bin/touch" has symbolic
permissions of: "rw-r--r--" indicating that the client has
violated the Server "force" settings.
*/

I have verified this happens with the following Samba versions:

1) Samba server version 3.0.28 running on RHEL-5
Samba client version 3.2.3 running on Fedora 9.
"mount.cifs -V" does not show version number, just display usage
message.

2) Samba server version 3.2.3 running on Fedora 9.
Samba client version 3.0.28 running on RHEL-5.
"mount.cifs -V" show version 1.0

Let me know if you need more information.

Gerry.

On Wed, 2008-10-08 at 17:24 -0700, Jeremy Allison wrote:
> On Thu, Oct 09, 2008 at 11:18:49AM +1100, Gerry Marthe wrote:
> > Hi Jeremy,
> >
> > Thanks - that does make sense.
> > Can you tell me then why "/bin/touch" appears immune to the Samba
> > settings?
>
> If you can make the CIFS client violate the
> "forced" settings on the Samba server that's
> a server bug and I'll fix it.
>
> Can you give me a specific example of this
> happening (with Samba and CIFSFS version numbers
> please) ?
>
> Jeremy.
>
>

> ------------------------------------------------------------
>
> This message has been scanned for viruses and dangerous content
> by MailScanner and is believed to be clean.
>

------------------------------------------------------------

This message has been scanned for viruses and dangerous content
by MailScanner and is believed to be clean.

--

0 new messages