Linux vs. Windows Persmissions (clients)

    • OMV 1.0
    • Resolved
    • Linux vs. Windows Persmissions (clients)

      I just installed a new copy of OMV 1.9 (Kralizec) on all new hardware and enabled the SMB/CIFS service since I'm running a mixed environment of Windows and Linux machines.

      I have a user called "taz" that is a member of a group called "nas-admin" that I'm using to manage the OMV shares. What I've noticed is that the permissions for the directories and files are different depending on whether the files were created on a Linux client or a Windows client. I'm using the same OMV credentials ("taz") when accessing the share either through Windows or Linux.

      For example, here are the permissions as seen from the OMV CLI:
      drwxr-s---+ 2 taz users 4096 Mar 28 18:13 Linux
      drwxrws--x+ 2 taz users 4096 Mar 28 18:13 Windows

      Here is the file ACL values for the Linux directory:

      Source Code

      1. # file: Linux
      2. # owner: taz
      3. # group: users
      4. # flags: -s-
      5. user::rwx
      6. user:taz:rwx #effective:r-x
      7. group::rw- #effective:r--
      8. group:nas-admin:rwx #effective:r-x
      9. group:nas-users:r-x
      10. mask::r-x
      11. other::---
      12. default:user::rwx
      13. default:user:taz:rwx
      14. default:group::rw-
      15. default:group:nas-admin:rwx
      16. default:group:nas-users:r-x
      17. default:mask::rwx
      18. default:other::---
      Display All


      Here's the file ACL for the Windows directory:

      Source Code

      1. # file: Windows
      2. # owner: taz
      3. # group: users
      4. # flags: -s-
      5. user::rwx
      6. user:taz:rwx
      7. group::rwx
      8. group:nas-admin:rwx
      9. group:nas-users:r-x
      10. mask::rwx
      11. other::--x
      12. default:user::rwx
      13. default:user:taz:rwx
      14. default:group::rw-
      15. default:group:nas-admin:rwx
      16. default:group:nas-users:r-x
      17. default:mask::rwx
      18. default:other::---
      Display All


      Here are the file permissions for the Linux and Windows files repsectively:
      -rwxr-x---+ 1 taz users 0 Mar 28 18:20 EmptyDoc.txt
      -rwxrwx---+ 1 taz users 0 Mar 28 18:21 EmptyDoc.txt

      Here is the file ACL values for the Linux file:

      Source Code

      1. # file: Linux/EmptyDoc.txt
      2. # owner: taz
      3. # group: users
      4. user::rwx
      5. user:taz:rwx #effective:r-x
      6. group::rw- #effective:r--
      7. group:nas-admin:rwx #effective:r-x
      8. group:nas-users:r-x
      9. mask::r-x
      10. other::---


      Here is the file ACL values for the Windows file:

      Source Code

      1. # file: Windows/EmptyDoc.txt
      2. # owner: taz
      3. # group: users
      4. user::rwx
      5. user:taz:rwx
      6. group::rw-
      7. group:nas-admin:rwx
      8. group:nas-users:r-x
      9. mask::rwx
      10. other::---


      The file permissions and ACL values seen for the directory and file created under the Linux environment are correct in the way the ACL is configured for the share.

      Based on my understanding, regardless of the client, the directories/files created would have the same permissions. Why are the files created in the Windows environment allowing file write access to the group and execute access to "others" for the directory?
    • The difference is the mask. I would guess that maybe the Linux application used to create the file has another default mask setting.

      You could try adding this to the /etc/default/openmediavault and see if it makes any difference.

      Shell-Script

      1. # Samba
      2. OMV_SAMBA_SHARE_CREATEMASK="0777"
      3. OMV_SAMBA_SHARE_DIRECTORYMASK="0777"

      To apply the changes run:

      Shell-Script

      1. omv-mkconf samba
      2. service samba restart
    • HK-47 wrote:

      You could try adding this to the /etc/default/openmediavault and see if it makes any difference.
      Shell-Script

      # Samba
      OMV_SAMBA_SHARE_CREATEMASK="0777"
      OMV_SAMBA_SHARE_DIRECTORYMASK="0777"


      First, instead of 0, shouldn't it be 2?! At least the DIRECTORYMASK should have it, shouldn't it?

      And also, shouldn't it be OMV_SAMBA_SHARE_CREATEMASK="2666", or is the CREATEMASK not meant for Files ?

      Greetings
      David
      "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"

      Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.


      Upload Logfile via WebGUI/CLI
      #openmediavault on freenode IRC | German & English | GMT+1
      Absolutely no Support via PM!

      I host parts of the omv-extras.org Repository, the OpenMediaVault Live Demo and the pre-built PXE Images. If you want you can take part and help covering the costs by having a look at my profile page.
    • davidh2k wrote:

      First, instead of 0, shouldn't it be 2?! At least the DIRECTORYMASK should have it, shouldn't it?

      And also, shouldn't it be OMV_SAMBA_SHARE_CREATEMASK="2666", or is the CREATEMASK not meant for Files ?

      Greetings
      David

      I've only changed from the defaults which are:

      Shell-Script

      1. OMV_SAMBA_SHARE_CREATEMASK=${OMV_SAMBA_SHARE_CREATEMASK:-"0755"}
      2. OMV_SAMBA_SHARE_DIRECTORYMASK=${OMV_SAMBA_SHARE_DIRECTORYMASK:-"0755"}

      I don't think you need to set the setgid bit from what I've experienced so far. But I've never tested with it set. I think it works without it since the shared folder already has the setgid bit set. The difference when adding the setgid bit would be, and I'm guessing, that it would forced(?). I don't want to force it, but someone else might though so it's good to know.

      I don't see why you would like to limit files to 666 though in normal cases. Because even though you have the drives mounted with noexec you may want to store files with the executable bit set. But each to their own. :)

      The reason I had to use those overrides is because ACLs doesn't work properly otherwise. For example, if you have a group and set rw permissions on a shared folder for that group, the mask of 755 will always strip the write permission for all groups. In the end you have something that doesn't work as expected.

      The post was edited 1 time, last by HK-47 ().