Hi Juer,
On Tue, Dec 18, 2001 at 10:53:33AM -0000, Juer Lee wrote:
> Hello samba guys and XFS guys,
>
> I am now using Linux-2.4.5-1.0.1_XFS and Samba 2.2.2.
> Try to create a samba share on a XFS volume, for example, we create a
> directory named 'public', and set its default acl on 'public' as
> 'u::rwx,g::rw-,o::r--,m::rwx', . Under Linux box, try to create a file
> named 'file_linux' under directory 'public', On Samba client (Win2K) try
> to create a file named 'file_samba' under directory 'public'.
> After that I try to list the ACLs for them, what I got were:
> chacl -l file_samba
> ------- u::rwx,g::rw-,o::rw-,m::rwx
> chacl -l file_linux
> ------- u::rwx,g::rw-,o::r--,m::rw- ( this is what we
> expected though the mask ACL is changed to m::rw- not m::rwx )
>
> It seems that mask ACL has no effect on creating file on samba client.
> But I am wrong, repeat the steps listed below, just change default acl
> on 'public' as 'u::rwx,g::rw-,o::r--' without mask ACL, I get the same
> ACLs of file_linux and file_samba.
>
> I am still afraid that I can't describe this case well, but I hope I can
> get some help from samba group or xfs group .
>
> :)
> Juer
>
(I initially wrote about default ACL and mask on June 12 and Aug 8 -
I'll paraphrase some of it here that may be relevant :)
(I don't use Samba so I'll leave others to comment on the Samba side)
---------------------------------------------------------------
1 - Default ACLs
When the access ACL for a file of a directory with a default ACL
is created, it's ACE permissions are set by the _intersection_ of the
respective default ACEs permission bits and the mode bits of the
parameter to open/creat.
If you have a MASK ACE (see Posix1003.1e section 5.3.1.2), then the
ACE permissions on the new file will have a MASK ACE equal to
the intersection of the default MASK ACE permission bits
and the standard group permission bits of the parameter to open/creat.
(This is what you saw)
So you don't just get the default ACL as your access ACL as you
might expect !
And Olaf pointed out that Samba sets the mode bits of the parameter
to open/creat to something other than 777.
Hmmm....but you seem to have _more_ permissions for "other" in
the samba side. I don't understand that.
---------------------------------------------------------------
2 - MASK ACE
The MASK ACE is used for the intersection of permissions for
USER, GROUP, and GROUP_OBJ ACEs
when granting/denying permission for access.
The standard group permission bits on a file usually mimick
the GROUP_OBJ ACE.
However, if there is a MASK ACE, then the std group permissions
are set to match the MASK ACE permission bits
(see Posix1003.1e section 23.1.2 Relationship with File permission Bits).
(You didn't mention this one but you'll probably notice it:)
---------------------------------------------------------------
So for example,
if you have a default ACL of u::rwx,g::rw-,o::r--,m::rwx
and you did
$ touch fred
which does a creat with permission bits of 666 = rw-rw-rw-
then you would get:
fred [u::rw-,g::rw-,o::r--,m::rw-]
ls -l fred
-rw-rw-r-- fred
the user-obj ACE of u::rwx would get intersected with creat's
user permissions of rw- and you'd get rw- for the user-obj ACE of fred.
The mask ACE of m::rwx gets intersected with creat's group
permissions of rw- and you'd get rw- for the mask ACE of fred.
If you had a default ACL of u::rwx,g::rw-,o::r--,m::---
and you did
$ touch fred
then you would get:
fred [u::rw-,g::rw-,o::r--,m::---]
ls -l fred
-rw----r-- fred
The mask has no permissions, so the group file permissions as
seen with ls(1) match the mask permissions.
---------------------------------------------------------------
As I said previously....
| I hope I haven't confused you.
| The standard can be equally confusing ;-)
|
| The withdrawn Posix ACL standard can be downloaded at:
| http://wt.xpilot.org/posix.1e/download.html
Kindest Regards,
--Tim
|