I am having some issues with permissions: MacOS via SMB seems to ignore file system permissions (especially the sticky bit).
Does anyone of you have a hint how I could convince MacOS via Samba to obey the sticky bit?
And: are you aware of any good reason why setting "nt acl support = no" in the samba share options is a bad idea?
I am writing this here since it seems the only fix seems to be in the truenas/samba setup. In the terminal everything works as intended - so, the file system acls should be fine.
The starting conditions:
All my users are running MacOS 12.6 (no Windows users) and the server is running TrueNAS-SCALE-22.12.0.
I am trying to prevent user from deleting a specific folder in a SMB share where they otherwise can do pretty much anything. Multiple users can access the share. They should be able to create and delete their files/folders in the share - except this specific folder. Within this specific folder they again should be able to delete/create everything - also files of other users. What I set up so far works perfectly via ssh. But MacOS via finder ignores the sticky bit:
My strategy so far:
So far my strategy is to set the setgid and sticky bit of the parent folder "Transfer" (which is also a dataset and share at the same time):
The folder (located within the above mentioned parent folder) - which nobody should be able to delete:
Example of a user:
All other users are also member of the "builtin_users" group.
This works fine in the terminal via ssh: users cannot delete the "dont_delete_me" folder - the sticky bit makes sure of that since the folder is not owned by them. If a user creates another folder inside the "dont_delete_me" there is no sticky bit and other users therefore can delete those subfolders (because they are member of the "builtin_users" group). Perfect.
The issues
Now, when a user accesses this share via samba and the MacOS finder, the following, very different behavior can be observed:
Following my Samba config for the respective share:
Thank you very much for any feedback! This issue is causing me serious headaches.
Does anyone of you have a hint how I could convince MacOS via Samba to obey the sticky bit?
And: are you aware of any good reason why setting "nt acl support = no" in the samba share options is a bad idea?
I am writing this here since it seems the only fix seems to be in the truenas/samba setup. In the terminal everything works as intended - so, the file system acls should be fine.
The starting conditions:
All my users are running MacOS 12.6 (no Windows users) and the server is running TrueNAS-SCALE-22.12.0.
I am trying to prevent user from deleting a specific folder in a SMB share where they otherwise can do pretty much anything. Multiple users can access the share. They should be able to create and delete their files/folders in the share - except this specific folder. Within this specific folder they again should be able to delete/create everything - also files of other users. What I set up so far works perfectly via ssh. But MacOS via finder ignores the sticky bit:
My strategy so far:
So far my strategy is to set the setgid and sticky bit of the parent folder "Transfer" (which is also a dataset and share at the same time):
Code:
exampleuser@truenas:/mnt/DataPool/Transfer$ getfacl . # file: . # owner: root # group: builtin_users # flags: -st user::rwx group::rwx group:backup:r-x group:builtin_administrators:rwx mask::rwx other::r-x default:user::rwx default:group::rwx default:group:backup:r-x default:group:builtin_administrators:rwx default:mask::rwx default:other::---
The folder (located within the above mentioned parent folder) - which nobody should be able to delete:
Code:
exampleuser@truenas:/mnt/DataPool/Transfer$ getfacl dont_delete_me/ # file: dont_delete_me/ # owner: root # group: builtin_users # flags: -s- user::rwx group::rwx group:backup:r-x group:builtin_administrators:rwx mask::rwx other::--- default:user::rwx default:group::rwx default:group:backup:r-x default:group:builtin_administrators:rwx default:mask::rwx default:other::---
Example of a user:
Code:
exampleuser@truenas:/mnt/DataPool/Transfer$ id uid=3000(exampleuser) gid=3000(exampleuser) groups=3000(exampleuser),545(builtin_users)
All other users are also member of the "builtin_users" group.
This works fine in the terminal via ssh: users cannot delete the "dont_delete_me" folder - the sticky bit makes sure of that since the folder is not owned by them. If a user creates another folder inside the "dont_delete_me" there is no sticky bit and other users therefore can delete those subfolders (because they are member of the "builtin_users" group). Perfect.
The issues
Now, when a user accesses this share via samba and the MacOS finder, the following, very different behavior can be observed:
- The setgid flag gets ignored and files/folders get created with ownership exampleuser:exampleuser instead of exampleuser:builtin_users preventing other users to delete within the "dont_delete_me" folder.
I could fix this by adding "nt acl support = no" to the Auxiliary Parameters of the respective share. Now MacOS obeys the setgid flag. - The sticky bit gets ignored: While users cannot rename the "dont_delete_me" folder, they can simply delete it! Apple, what are you doing?
Following my Samba config for the respective share:
Code:
exampleuser@truenas:/mnt/DataPool/Transfer$ sudo net conf list [GLOBAL] disable spoolss = true syslog only = False winbind request timeout = 2 create mask = 0775 ntlm auth = False bind interfaces only = True logging = file unix charset = UTF-8 restrict anonymous = 2 netbios aliases = fruit:nfs_aces = false netbios name = truenas dns proxy = false server multi channel support = False guest account = nobody max log size = 5120 local master = True server string = TrueNAS Server fruit:zero_file_id = false load printers = false workgroup = WORKGROUP passdb backend = tdbsam:/var/run/samba-cache/passdb.tdb directory mask = 0775 printcap name = /dev/null log level = 1 auth_json_audit:3@/var/log/samba4/auth_audit.log server min protocol = SMB2_02 idmap config * : range = 90000001 - 100000000 idmap config * : backend = tdb [Transfer] vfs objects = fruit streams_xattr acl_xattr zfs_core io_uring ea support = False tn:purpose = NO_PRESET path = /mnt/DataPool/Transfer tn:path_suffix = tn:home = False comment = Temporary files to be moved somewhere else. Files will get deleted after a while. read only = False browseable = True guest ok = False hosts allow = hosts deny = access based share enum = False posix locking = False kernel oplocks = False smbd max xattr size = 2097152 fruit:metadata = stream fruit:resource = stream fruit:time machine = False fruit:time machine max size = 0 tn:vuid = nt acl support = no
Thank you very much for any feedback! This issue is causing me serious headaches.