Wonders of setgid

Samba Project is perhaps the best example of the value of reverse engineering. More specifically, I would assert that Samba is the critical glue application that provides tremendous value to Linux kernel and also helps to transform the operating system into a formidable player in the heterogeneous networks where M$ client desktops are perhaps ubiquitous. 

At the moment my holy trinity for large deployments would be apache, openvpn, and samba.
For the unfamiliar, Samba allows the linux kernel to speak and understand the CIFS or SMB protocol that is native to the M$ operating system. The fantastic reverse engineering work of Andrew Tridgell and the rest of the Samba Project team makes all of this transparent to the end-user.

From time to time, I run into access control problems on the file system level. When creating samba shares, I generally follow the create mask and directory mask convention of 0755.  This is supposed to ensure that owner rights are preserved when new files and directories are created.  However, there are instances when an owner creates a directory on samba share, with strict create and directory masks enforced, and this new share will assume owner and group permissions of its creator.  Inevitably, this condition will cause problems. This is particularly true when you have multiple users and samba shares. In these situations, users are creating files and directories on a daily basis.  The unexpected changing of directory permissions can be quite annoying.

After perusing the interwebs, I found that the following technique works to ensure that directory ownership permissions will not change, when files and directories are manipulated within a samba share.

I ran the below command against all of my samba shares. 

find /some/dir/path/ -type d -exec chmod g+s {} \;

Note that the 's' is the set group ID bit for the group attribute on all directories.  This assures that all new directories or files assume the group ID attribute instead of the attribute of its owner. This is precisely the behavior that I need on a production server. It seems to work very well and I have not had to write any scripts to chgrp -R or chown -R sub-directories within a samba share.

Perhaps I'll share this tip with Klaatu, as it would appear to be apropos considering he recently conducted an interesting HPR episode on networking with samba.
  • Geek fatigue
  • klogctl: Operation not permitted
  • Experiences with CUPS
  • Perils of Improper Disaster Recovery
  • Monthly Archives


    OpenID accepted here Learn more about OpenID
    Powered by Movable Type 4.25

    About this Entry

    This page contains a single entry by AG published on November 28, 2012 4:25 AM.

    Virtues of the Open Source Telephony Platform was the previous entry in this blog.

    Geek fatigue is the next entry in this blog.

    Find recent content on the main index or look in the archives to find all content.