I have a Samba server with ROLE_DOMAIN_MEMBER in the Active Directory. My main aim is to make a different permissions on share sub-folders on every single share. It can be done using Linux acl or Windows permissions GUI, but I prefer a Windows GUI. In this case users can do this by themselves. I already tried to change permissions using chmod, chown, acl, Windows GUI and Windows console GUI, and I can change permissions to sub-folder but it seems that it doesn't work and only groups added to samba-share worked for me and also for sub-folders valid users = "+DOMAIN.LOCAL\IT" # "+DOMAIN.LOCAL\adm" # "+DOMAIN.LOCAL\DR" # "DOMAIN.LOCAL\PRINTERS" admin users = "+DOMAIN.LOCAL\IT" # "+DOMAIN.LOCAL\adm" # "+DOMAIN.LOCAL\DR" # "DOMAIN.LOCAL\PRINTERS" I print here all my smb.cfg and a single test share: [global] # No .tld workgroup = DOMAIN netbios name = samba4 server string = %h server (Samba, Ubuntu) # Active Directory System security = ads # With .tld realm = DOMAIN.LOCAL # Just a member server domain master = no local master = no preferred master = no dns proxy = no # Disable printing error log messages when CUPS is not installed. printcap name = /dev/null load printers = no printcap cache time = 0 #additional section obey pam restrictions = yes map to guest = bad user dns proxy = no vfs objects = acl_xattr map acl inherit = yes nt acl support = yes acl map full control = yes #acl compatibility = auto store dos attributes = yes map archive = no map hidden = no map read only = no map system = no # Works both in samba 3.2 and 3.6. #idmap backend = tdb # no .tld idmap config * : backend = tdb idmap config * : range = 10000-99999 winbind enum users = yes winbind enum groups = yes # This way users log in with username instead of username@example.com winbind use default domain = yes # Inherit groups in groups winbind nested groups = yes winbind refresh tickets = yes winbind offline logon = true #winbind separator = \ # Becomes /home/example/username template homedir = /home/%D/%U #logon drive = H: #logon home = \\smb\%U # No shell access template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes #password server = dc01.domain.local, dc02.domain.local password server = * encrypt passwords = yes unix password sync = yes pam password change = yes smb passwd file = /etc/samba/smbpasswd os level = 20 restrict anonymous = 2 log file = /var/log/samba/samba.log log level = 3 #logging = syslog@1 /var/log/samba/log.%m vfs objects = full_audit full_audit:success = mkdir rmdir unlink pwrite full_audit:prefix = %u|%I|%m|%S full_audit:failure = none full_audit:facility = local5 full_audit:priority = notice recycle:repository = /home/recycle/ recycle:keeptree = yes recycle:versions = yes max log size = 100000 panic action = /usr/share/samba/panic-action %d guest ok = yes [test$] path = /FS/test$ browseable = yes read only = no inherit acls = yes inherit permissions = yes create mask = 700 directory mask = 700 valid users = "+DOMAIN.LOCAL\IT" # "+DOMAIN.LOCAL\adm" # "+DOMAIN.LOCAL\DR" # "DOMAIN.LOCAL\PRINTERS" admin users = "+DOMAIN.LOCAL\IT" # "+DOMAIN.LOCAL\adm" # "+DOMAIN.LOCAL\DR" # "DOMAIN.LOCAL\PRINTERS" ┌─[root@samba4]─[/FS] └──╼ #ls -ld test\$/ drwxrwx---+ 6 root root 4096 Jun 25 15:44 test$/ ACL configuration: cat /boot/config-4.4.0-87-generic | grep _ACL CONFIG_EXT4_FS_POSIX_ACL=y CONFIG_REISERFS_FS_POSIX_ACL=y CONFIG_JFS_POSIX_ACL=y CONFIG_XFS_POSIX_ACL=y CONFIG_BTRFS_FS_POSIX_ACL=y CONFIG_F2FS_FS_POSIX_ACL=y CONFIG_FS_POSIX_ACL=y CONFIG_TMPFS_POSIX_ACL=y CONFIG_HFSPLUS_FS_POSIX_ACL=y CONFIG_JFFS2_FS_POSIX_ACL=y CONFIG_NFS_V3_ACL=y CONFIG_NFSD_V2_ACL=y CONFIG_NFSD_V3_ACL=y CONFIG_NFS_ACL_SUPPORT=m CONFIG_CEPH_FS_POSIX_ACL=y CONFIG_CIFS_ACL=y CONFIG_9P_FS_POSIX_ACL=y My fstab: UUID=4ec48dfe-c45d-124b-8145-09fe59cfad9b /FS ext4 relatime,acl,user_xattr,errors=remount-ro 0 1 In samba.log I see a problem with acl permissions while I try to change permissions to test directory. set_nt_acl: failed to set file acl on file test (Operation not permitted). Also I change permission on test directory to 777 and delete options "create mask", "directory mask", "admin users". Now I can't even add a new user to file permission.

today to my surprise I have noticed that I may delete a file that was created by a user with UID 100024 while being logged to my normal user (UID 1000) shell. The UID 100024 is a subuid, it is how the user inside the rootless podman container looks in top processes, also in ls -l output. The cat /etc/subuid out is myuser:100000:65536, same for the subgid. The sudo sysctl kernel.unprivileged_userns_clone out is kernel.unprivileged_userns_clone = 1 the getfacl /the/file shows

user::rw-
group::r--
other::r--

The grep CONFIG_USER_NS /boot/config-$(uname -r) out is CONFIG_USER_NS=y. To even a bigger surprise, I was able to edit a file created by UID 1000 user in the volume mapped folder, from inside the container! The file had 644 permissions and was owned by nobody:nogroup. I'm pretty sure I could not do these operations in the past. Anything has happened to my 6.1.0-32-amd64 Debian? The filesystem is xfs. ls -hal for the directory returns:

drwxrwxr-x+ 12 pod_yt      root        4.0K Jul 19 17:09 name_of_the_dir

and the getfacl for the dir returns

user::rwx user:myuser:rwx 
user:name_of_the_user_for_uid_100024:rwx 
group::r-x mask::rwx other::r-x

From a bash shell script, I am creating a folder and storing the mysqldump there. I am sure that there is no command related to permissions in my script. To allow an other user to access these files, I have used ACL, but when he tried to access the file, he got permission denied issue, and issue is with effective permissions of ACL. The owner of the directory is ola and new user who is trying to access the folder is uber and folder is gettaxi ### Permissions of Parent directory [/omega/olabooktmp]# getfacl . # file: . # owner: ola # group: ola user::rwx user:uber:rwx group::r-x mask::rwx other::r-x default:user::rwx default:user:uber:rwx default:group::r-x default:mask::rwx default:other::r-x ### Permissions of Child directory [/omega/olabooktemp]# getfacl gettaxi/ # file: gettaxi/ # owner: ola # group: ola user::rwx user:uber:rwx #effective:--- group::r-x #effective:--- mask::--- other::--- default:user::rwx default:user:uber:rwx default:group::r-x default:mask::rwx default:other::r-x I see like for new directory gettaxi mask permissions are mask::---, so I think this is causing issue, but I am unable to understand completely and how to solve this issue. Any suggestions greatly appreicated. Thank you.

I logged in as root and tried to recursively delete the folder /volume2/Name using rm -rf It started and deleted all the files/directories inside this folder Name, but it cannot remove the folder itself even though I am root: rm: cannot remove 'Name’: Operation not permitted The command ls -l list the permissions for this folder as: d---------+ 1 root root Synology has a special tool called synoacltool for these ACL permissions, but I don't know to use it. So what do I need to do in order to be able to remove this (empty) folder?

### Info ### I have 2 remote machines, both are Linux and same OS version. When I tried to SSH to the machine as one of the user inside via public key, machineA works but machineB get stucked after offerring the public key. From what I understand, SSH uses StrictModes by default which requires: - In

/etc/ssh/sshd_config

, contains

yes

and

.ssh/authorized_keys

-

/home/

with

750

or stricter -

/home//.ssh

with

700

or stricter -

/home//.ssh/authorized_keys

with

600

or stricter ### What I have done? ### For my requirements, I need the

of

to be managed by another user, let's say

. So I have done the following configurations to allow

to manage

's

chmod 750 /home/
chmod 700 /home//.ssh
chmod 600 /home//.ssh/authorized_keys
setfacl -m u::rwx /home/
setfacl -m u::rwx /home//.ssh
setfacl -m u::rwx /home//.ssh/authorized_keys

So I enter both machineA & machineB as admin via password and paste my public key into

/home//.ssh/authorized_keys

When I tried SSH to both system via Putty, machineA works but machineB fails. ### Loggings ### This is the event logs of putty when try to SSH to machineB, it's stuck after

public key

And this is the

-f /var/log/auth.log

at machineB: I check these configurations at both machines: - ✅ownership of file/directory is the user - ✅permission is same as previous statement - ✅both machines had same configurations I also tried

/usr/sbin/sshd -d -p 2222

at target machine and SSH to the system via command prompt using

-i C:\path\to\private-key -p 2222 @

and this is the log I got: ### Others things tried ### - Revoke all ACL permission on machineB, and able to SSH to machineB via public key after that. - Set

no

in

/etc/ssh/sshd_config

at machineB, and it works afterwards. But I know this is not a good idea. - Check

/etc/ssh/sshd_config

at machineA, and it has

yes

commented, but I believe it's enabled by default. ### Questions ### - What configurations that I may missed? - Is it related to proxy? Because machineA is behind a proxy while machineB is not. Any help or insight is appreciated :D

I mounted an nfsv4 folder (both client and server are CentOS 7.4) via command $ sudo mount -t nfs -o v4.0,sec=krb5 ark-centos7-ker.qa.arkivio.com:/export/nfs1 /nfs4-mnt-dir created a file via: touch 11, then set file's ACL get failed with command $ sudo nfs4_setfacl -a A::auto-stor@qa.arkivio.com:rxtncy /nfs4-mnt-dir/11 [sudo] password for auto-stor@qa.arkivio.com: Failed setxattr operation: Invalid argument it seems complaining the parameter auto-stor@qa.arkivio.com is invalid, but this user is already recognized by both nfs4 client and server. $ getent passwd auto-stor@qa.arkivio.com auto-stor@qa.arkivio.com:*:1712401226:1712400513:auto-stor:/home/auto-stor@qa.arkivio.com:/bin/bash $ id auto-stor@qa.arkivio.com uid=1712401226(auto-stor@qa.arkivio.com) gid=1712400513(domain users@qa.arkivio.com) groups=1712400513(domain users@qa.a rkivio.com),10(wheel),1712439592(autostoradmins@qa.arkivio.com),1712439438(certsvc_dcom_access@qa.arkivio.com),171243989 6(passwordpropdeny@qa.arkivio.com),1712400512(domain admins@qa.arkivio.com),1712439802(ats_steph_testgroup@qa.arkivio.co m) What is missing in my configuration?

I have got question for you. I need to solve this problem. I have got folder /keys which chmod 755 on /keys folder and ACL right such as setfacl -d -m u:myadmin:rwx /keys In /keys folder are others folders such as user1, user2, user3 in each user1, user2, user3 folder are specific public.key for SSH access And now there is my problem: If I have got enable StrictModes in sshd_config, user1 during ssh connection received error message "Bad Ownership or Modes for Directory", because on folder user1 root has got rwx rights and also myadmin has got rwx rights. When I remove rights of myadmin all is OK and all is work. But I need have myadmin for manage public keys in these folders. So I tried disable StrictModes in sshd_config and all is OK and working. But I think disable StrictModes is not good idea for security. I have got all users, admins chrooted in specific folders in the system. What do you think? There is any other solution for this problem? Or it can be disabled for solution of this problem ? --- RE: All users are chrooted in the directory and can't login via putty,console.. They can connect only via ssh. After login they see their folders which specific rights, can't move outside from chrooted directory. However I need each user need access specific folder which are on different place which is outside of chrooted folder of each user. User doesnt know about outside folder, its only for server access to write down some files. Thats all. With setfacl -m u:user:rwx and StrictModes on user can't login via ssh. If i turn of StrictModes, user can connect via ssh. I know StrictModes specifies wheter ssshd should check file modes and ownership of the user files and home directory before accepting login. Or there is another solution ? Thanks

Suppose I want a dir, which all files and directories created inside has the group permission of the group owner of the dir, and 770 as default permission. With posix ACL is really easy #create a dir.. mkdir proof #inherit group permission "video" in this example chmod g+s proof/ chgrp video proof/ #with setfacl make the default group with rxw permissions setfacl -d -m g:video:rwx proof #other are not allowed setfacl -d -m o:--- proof/ chmod o-x proof #give the acl setfacl -m g:video:rwx proof Now I create a file and a dir inside the dir proof.. mkdir try1 drwxrws---+ 2 myuser video 4,0K feb 23 01:26 try1 touch file1 -rw-rw----+ 1 myuser video 0 feb 23 01:29 file1 As you can see I obtain what I want, all files in the dir inherit permissions and has the group "video" as group owner. This is possible on Linux (posix acl on ext4, btrfs, etc..) and Solaris (ufs). Now the question..how to do this with zfs which use nfsv4 acl on Solaris? I have tried this making another dir "proof" in a zfs Solaris 11 host (of course chmod g+s was made) chmod A=owner@:read_attributes/read_data/execute/list_directory/read_data/write_data/append_data/execute/add_file/add_subdirectory:fd:allow,group:video:read_attributes/read_data/execute/list_directory/read_data/write_data/append_data/execute/add_file/add_subdirectory:fd:allow,everyone@:read_attributes/read_data/execute/list_directory/read_data/write_data/append_data/execute/add_file/add_subdirectory:fd:deny proof but the result is.. mkdir newdir drwxr-sr-x+ 2 myuser video 2 23 feb 02.33 newdir :| How to obtain the same of posix acl? Thanks

So here is something I could not find any reference to, I have this user, user_A, I want to remove its access to this directory entirely /log/dirA As far as I understand, chmod is used to modify the access in this order user/group/others. Others is general and does not care who this is, just anyone other than the user, while not a member of group will be "other(s)", so I don't want to mess with other users access to this path, but I want to limit user_A from accessing it. Does **setfacl** work for directories too? because I used this command, which I think should deny read/write/execute access of the mentioned Directory to the user_A, but the user is still able to cd into the mentioned dir. Does setfacl apply only to files?? Command:

setfacl -Rdm u:user_A:--- /log/dirA

ls -lhtr of the mentioned path:

rwxr-xr-x+  3 Mainuser Mainuser   19 Apr 17  2018 dirA

getfacl /log/dirA :

# file: dirA/
# owner: Mainuser
# group: Mainuser
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:user_A:---
default:group::r-x
default:mask::r-x
default:other::r-x

So there is a user that was created by root, and it pretty much has access to most/all directories on the system, we want to use this user only for ftp via lftp to read a certain file on the server that this user is located, let's call it config-server. so all the other servers, have scripts that will use lftp/ftp to access the config-server using this user to read the desired config file. As the user and password will be saved on the other servers, we want to restrict this users access to all other unnecessary directories, and no we don't want to restrict the users ftp access, we want to restrict the user itself. My goal is to do it at once or at least once for each mount point, like configuring his /her access globally once to 000, then go the the desired directory and give him read access to that directory only. so how can I do this globally? is it possible? I thought I could use recursive chmod/setfacl on all directories/mountpoints while signed in as root, and then as root, give that user access to the config files path? is this a viable solution, or does it have risks. if not, please share your solution. Note: We have somewhat 74 servers, which nullifies the point of storing the config on each server separately. EDIT: Server OS is Redhat 6.9 (or later for other servers). Also the access method used in the script would be ftp, but like I said since the user and password is present in the scripts that are on the other servers, we should prevent the user overall access, some one might use ssh, or even direct login, and we can't be held responsible for allowing that to happen, also we have limited access to most of our servers (configuration wise), this is one of the few which we do have the root access and OS is not managed by another team. But we ourselves will need to be able to login to this user ( can't complicate it too much, not every member that is added to the team has good linux/OS knowledge Ironically, right now two new members, trained by me and my ex-colleague in linux, one which is IT student, still didn't know what command is used to switch user, both use right click to copy and paste :| ).

I'm using Mint Linux 22.1 and vsftpd on the destination computer and Windows 11 (latest version) as the source computer. I have the following permissions. In my home directory I have a symlink to a mounted NTFS drive: The permissions to the mounted NTFS drive's directories are: I have added FACL permissions to each directory making todd an owner of each directory (also did a chown from root to todd in a separate, unsuccessful attempt). **Upon further investigation it appears the setfacl didn't actually do anything (apparently due to the file system being NTFS). So, now the question becomes why didn't the chown where I set my user account as owner solve the problem?** I have set write_enable=YES in the /etc/vsftpd.conf file When I try accessing the symlink using Windows 11's file explorer: ftp://todd@192.168.40.77/NTFS2TB/backups/ I can see files and directories within the NTFS2TB directory, but I cannot upload any files into it. What do I need to do to enable uploading files to the Linux computer's backups directory from Windows 11? EDIT: Showing the filesystem of NTFS2TB is NTFS EDIT 2: The vsftpd.log file entry for an attempt to upload is as follows: Sat Apr 26 16:33:42 2025 [pid 6734] CONNECT: Client "::ffff:192.168.40.161" Sat Apr 26 16:33:42 2025 [pid 6733] [todd] OK LOGIN: Client "::ffff:192.168.40.161" Sat Apr 26 16:33:42 2025 [pid 6736] [todd] FAIL DELETE: Client "::ffff:192.168.40.161", "/media/todd/NTFS_PARTITION_2TB/backups/DumpStack.log" EDIT 3: I converted the drive from NTFS to EXT4 and it works now! Thanks everyone.

I've a Debian server that rsync files in a nfs share (Truenas).\ Nfs share is mounted with systemd:

192.168.88.162:/mnt/pool3/nfsdataset  /mnt/systemd/nfs/nfsdataset   nfs nofail,x-systemd.automount 0 0

Rsync command is:rsync -a -A -P testfile /mnt/systemd/nfs/nfsdataset\ When rsync transfer files with acl, return this error:

sending incremental file list
testfile
              0 100%    0,00kB/s    0:00:00 (xfr#1, to-chk=0/1)
rsync: [receiver] set_acl: sys_acl_set_file(.testfile.FS8M3I, ACL_TYPE_ACCESS): Operation not supported (95)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1338) [sender=3.2.7]

Nfs is enabled in Truenas dataset.\ It's possibile to tranfer files with acl in a nfs share?

I've been reading up on the "sticky bit" and it's _almost_ what i want… but not quite. ## Background I'm managing a small JupyterHub instance with three courses and an instructor for each course. I'd like to have a folder on the server for file submissions. Students (in the jupyterhub-users group) should be able to place their own files in the folder, but should not be able to move or view other files in the folder. Ideally, they should retain the ability to move or edit their own file. Course instructors (in the jupyterhub-instructors group) should have full access to files and folders in the submissions folder so they can move their students submissions around as they see fit. ## My current understanding I'm aware of the sticky bit… my problem with it is that it leaves the other instructors unable to modify the contents of the folder. Is there a version of the sticky bit that allows the _group_ to edit the folder? In that case, I can set ACLs such that jupyterhub-users have rwx permissions on the folder (allowing them to submit files to the folder and see the contents of it) and set the folder owner to root:jupyterhub-instructors so the instructors can control the contents of the folder. If all else fails, I suppose I can make subfolders in the submissions folder owned by each instructor, then set the sticky bit on each subfolder. I'd like to avoid the future maintenance associate with that though, since _I'll_ have to be the one to remember to set up a new folder next semester for each instructor.

The situation: I want to export a directory writable only for a group. I have created a group with same gid on both client (Solaris 10) and Server (Linux). On Linux server I set the permission and acl in this way chmod g+s /srv/nfsv4/pub chgrp nfs-users /srv/nfsv4/pub setfacl -d -m g:"nfs-users":rwx /srv/nfsv4/pub setfacl -d -m o:--- /srv/nfsv4/pub setfacl -d -m g:"nfs-users":rwx /srv/nfsv4/pub I go on Linux client, i create a file and works fine cd /srv/nfsv4/pub mkdir try ls -lhd * drwxrws---+ 1 myuser nfs-users 0 gen 12 00:43 try/ I export the directory for Solaris client /srv/nfsv4 10.7.2.0/24(rw,no_subtree_check,fsid=0,sec=sys:krb5:krb5i:krb5p,acl) /srv/nfsv4/pub 10.7.2.0/24(rw,no_subtree_check,async,root_squash,nohide,acl) I mount it and I create a directory mount -F nfs -o vers=4,sec=krb5p,rw slackware1:/pub /mnt cd /mnt mkdir try2 ls -lhd * drwxrws---+ 1 myuser nfs-users 0 Jan 12 00:43 try/ drwxr-s---+ 1 myuser nfs-users 0 Jan 12 00:46 try2/ As you can see the write permission for group is missing I can "escape" this using a different umask (0002 instead of 0022) but I want to know why Solaris don't respect the acl inherit. The acl not correctly seen on Solaris client ( I don't see the default) On Solaris getfacl /mnt # file: /mnt # owner: root # group: nfs-users user::rwx group::rwx #effective:rwx mask:rwx other:r-x On Linux # file: srv/nfsv4/pub/ # owner: root # group: nfs-users # flags: -s- user::rwx group::r-x group:nfs-users:rwx mask::rwx other::r-x default:user::rwx default:group::r-x default:group:nfs-users:rwx default:mask::rwx default:other::--- Another solution can be to use g+ws instead of g+s for acl The question is: why Solaris don't correctly see the posix acl? Try to use the nfs4 acl on Linux is impossible cause the leak of a decent tool to set it (nfs4_setacl works only on nfs shares, not on local fs)

On Linux zfs seems to support nfsv4acl zfs set acltype=nfsv4 rpool/ROOT/nas echo $? 0 I create a fs zfs create -o mountpoint=/var/pub rpool/pub and...nothing works nfs4_setfacl -e /var/pub Failed to instantiate ACL. nfs4_setfacl -a A:fd:OWNER@:rwaDdxtTnNy,A:GROUP@:rwaDdxtTnNy,D:fd:EVERYONE@:rwaDdxtTnNy /var/pub Failed to instantiate ACL. I don't know any other utilities to manage nfsv4acl. What I miss? zfs seems correctly configured to use nfs4acl rpool acltype nfsv4 local rpool/ROOT acltype nfsv4 local rpool/ROOT/nas acltype nfsv4 local rpool/ROOT/nas@26-12-2024 acltype nfsv4 inherited from rpool/ROOT/nas rpool/pub acltype nfsv4 local rpool/root acltype nfsv4 inherited from rpool rpool/tmp acltype nfsv4 inherited from rpool EDIT: probably this app works https://github.com/truenas/nfs4xdr-acl-tools the problem is don't compile on Slackware 15 so I cannot test it /usr/bin/libtool --mode=link gcc -o nfs4xdr_torture nfs4xdr_torture.o ../libnfs4acl/libnfs4acl.la -lattr libtool: link: gcc -o nfs4xdr_torture nfs4xdr_torture.o ../libnfs4acl/.libs/libnfs4acl.a -lbsd -ljansson -lattr /usr/bin/ld: ../libnfs4acl/.libs/libnfs4acl.a(nfs4_json_to_acl.o):/root/nfs4xdr-acl-tools/libnfs4acl/../include/nfs4_json.h:54: multiple definition of `flags2txt'; ../libnfs4acl/.libs/libnfs4acl.a(nfs4_ace_to_json.o):/root/nfs4xdr-acl-tools/libnfs4acl/../include/nfs4_json.h:54: first defined here /usr/bin/ld: ../libnfs4acl/.libs/libnfs4acl.a(nfs4_json_to_acl.o):/root/nfs4xdr-acl-tools/libnfs4acl/../include/nfs4_json.h:67: multiple definition of `perms2txt'; ../libnfs4acl/.libs/libnfs4acl.a(nfs4_ace_to_json.o):/root/nfs4xdr-acl-tools/libnfs4acl/../include/nfs4_json.h:67: first defined here /usr/bin/ld: ../libnfs4acl/.libs/libnfs4acl.a(nfs4_json_to_acl.o):/root/nfs4xdr-acl-tools/libnfs4acl/../include/nfs4_json.h:87: multiple definition of `type2txt'; ../libnfs4acl/.libs/libnfs4acl.a(nfs4_ace_to_json.o):/root/nfs4xdr-acl-tools/libnfs4acl/../include/nfs4_json.h:87: first defined here /usr/bin/ld: ../libnfs4acl/.libs/libnfs4acl.a(nfs4_json_to_acl.o):/root/nfs4xdr-acl-tools/libnfs4acl/../include/nfs4_json.h:98: multiple definition of `aclflags2txt'; ../libnfs4acl/.libs/libnfs4acl.a(nfs4_ace_to_json.o):/root/nfs4xdr-acl-tools/libnfs4acl/../include/nfs4_json.h:98: first defined here /usr/bin/ld: ../libnfs4acl/.libs/libnfs4acl.a(nfs4_json_to_acl.o):/root/nfs4xdr-acl-tools/libnfs4acl/../include/nfs4_json.h:107: multiple definition of `basicperms2txt'; ../libnfs4acl/.libs/libnfs4acl.a(nfs4_ace_to_json.o):/root/nfs4xdr-acl-tools/libnfs4acl/../include/nfs4_json.h:107: first defined here /usr/bin/ld: ../libnfs4acl/.libs/libnfs4acl.a(nfs4_json_to_acl.o):/root/nfs4xdr-acl-tools/libnfs4acl/../include/nfs4_json.h:117: multiple definition of `basicflags2txt'; ../libnfs4acl/.libs/libnfs4acl.a(nfs4_ace_to_json.o):/root/nfs4xdr-acl-tools/libnfs4acl/../include/nfs4_json.h:117: first defined here collect2: error: ld returned 1 exit status gmake: *** [../include/buildrules:47: nfs4xdr_torture] Error 1 make: *** [Makefile:53: default] Error 2

With this acl chmod A=owner@:wpdDxrarRsWwA:df:allow,group:nfs-users:wpdDxrarRsWwA:df:allow,everyone@:wpdDxrarRsWwA:df:deny /directory I obtain that directory is available only for nfs-users and owner and all files and directory created inside has 770 permission. Works ok, but don't mount anymore using nfs. Wich acl allow external mount? I have tried adding user root and nobody chmod A=owner@:wpdDxrarRsWwA:df:allow,group:nfs-users:wpdDxrarRsWwA:df:allow,everyone@:wpdDxrarRsWwA:df:deny,user:root:ww pdDxrarRsWwA:allow,user:nobody:wpdDxrarRsWwA:allow,group:nobody:wpdDxrarRsWwA:allow but it doesn't work, only if I remove the "everyone" line the directory can be mounted via nfs. Is not possible to obtain a directory with 770 inherit permission and at the same time mountable via nfs? The server is Solaris, the client Linux.

I have a TrueNAS system that my hosts can connect/mount into, to write they should need to have a valid ticket by my KCM, but to read, certain mount points should be able to be read by any host that is enabled. I tried to make my ACL rules to match everyone@ read/traverse, but that seems to not match the "other" that traditional posix has. I think what I want is the other equivalent when the user is "nobody"/unknown.

I'm trying to get ksmbd work on a machine running bookworm. But regardless if I'm using a Linux GUI, CLI or a Windows 10 Client, I'm unable to browse through files or directories within the mounted share. But I'm able to create files and directory's on the ksmb server, to edit them und to remove them again. Because all cients work the same way I guess it's a ksmbd problem. All following data are from Linux CLI By the way, regardless if I login to the server via ssh or sshfs. The user 'henning' did always see files and directories. Note. All files on the server within /zPool are mounts of ZFS repositories with posix acl's. When using the share "example" from my ksmbd.conf, which points to /tmp on the server, everything works as expected. Is this an error, or am I missing something. Did not find a hint anywhere... lets have a look into the mountpoint before start

# vdir /mnt/NAS/
insgesamt 8
drwxrwxr-x  2 admin admins 4096 29. Jul 2020  .
drwxr-xr-x 15 root  root   4096 31. Dez 19:14 ..

mount share to local dir

# mount -t cifs //pve.dry.lan/tmp /mnt/NAS/
Password for henning@//pve.dry.lan/tmp:

no error, seems that nothing happened client

# vdir /mnt/NAS/
insgesamt 4
drwxr-xr-x  2 root root    0 12. Jun 2022  .
drwxr-xr-x 15 root root 4096 31. Dez 19:14 ..

but try to create dir & file, nor errors so far

# mkdir /mnt/NAS/ksmbd-test-dir
# echo 1234 > ksmbd-text.txt

seems that nothing happened again

# vdir /mnt/NAS/
insgesamt 4
drwxr-xr-x  2 root root    0 12. Jun 2022  .
drwxr-xr-x 16 root root 4096 31. Dez 19:17 ..

lets look on the server, new created entry's are there

$ vdir /zPool/tmp/
...
drwxrwsr-x+  2 henning admins         2 Dec 31 19:19 ksmbd-test-dir
-rwxrwxr-x+  1 henning admins         5 Dec 31 19:20 ksmbd-test.txt
...

$ getfacl /zPool/tmp/
getfacl: Removing leading '/' from absolute path names
# file: zPool/tmp/
# owner: admin
# group: admins
# flags: -s-
user::rwx
group::rwx
other::r-x
default:user::rwx
default:user:admin:rwx
default:group::r-x
default:group:admins:rwx
default:mask::rwx
default:other::r-x

$ getfacl /zPool/tmp/ksmbd-test
ksmbd-test-dir/ ksmbd-test.txt  
root@pve:/zPool/tmp# getfacl /zPool/tmp/ksmbd-test-dir/
getfacl: Removing leading '/' from absolute path names
# file: zPool/tmp/ksmbd-test-dir/
# owner: henning
# group: admins
# flags: -s-
user::rwx
user:admin:rwx
group::r-x
group:admins:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:admin:rwx
default:group::r-x
default:group:admins:rwx
default:mask::rwx
default:other::r-x

$ getfacl /zPool/tmp/ksmbd-test.txt 
getfacl: Removing leading '/' from absolute path names
# file: zPool/tmp/ksmbd-test.txt
# owner: henning
# group: admins
user::rwx
user:admin:rwx
group::r-x
group:admins:rwx
mask::rwx
other::r-x

finaly the ksmbd.conf

[global]
	; global parameters
	bind interfaces only = no
	deadtime = 0
	guest account = nobody
	interfaces = 
	ipc timeout = 0
	kerberos keytab file = 
	kerberos service name = 
	kerberos support = no
	map to guest = never
	max active sessions = 1024
	max connections = 128
	max open files = 10000
	netbios name = KSMBD SERVER
	restrict anonymous = 0
	root directory = 
	server max protocol = SMB3_11
	server min protocol = SMB2_10
	server multi channel support = no
	server signing = disabled
	server string = SMB SERVER
	share:fake_fscaps = 64
	smb2 leases = no
	smb2 max credits = 8192
	smb2 max read = 4MB
	smb2 max trans = 1MB
	smb2 max write = 4MB
	smb3 encryption = auto
	smbd max io size = 8MB
	tcp port = 445
	workgroup = WORKGROUP
	durable handles = no

	; default share parameters
	browseable = yes
	comment = 
	create mask = 0744
	crossmnt = yes
	directory mask = 0755
	force create mode = 0000
	force directory mode = 0000
	force group = 
	force user = 
	guest ok = no
	hide dot files = yes
	inherit owner = no
	invalid users = 
	oplocks = yes
	path = 
	read list = 
	read only = ; yes
	store dos attributes = yes
	valid users = 
	veto files = 
	vfs objects = 
	write list = 

[example]
	comment = read only /tmp access
	path = /tmp

[tmp]
        comment = temp share
        path = /zPool/tmp
        create mask = 0774
        directory mask = 0775
        force group = admins
        hide dot files = no
	read only = no
        write list = henning,moni

I back up my stuff with rsync over private/public-keyed SSH, to /media/pi/backups/... to a Raspberry PI with a 1GB USB HD plugged into it as the occasional, offsite backups. When I look at the backup directories on the PI, some directories have appeared.

root@backupPi:/media/pi# ls -la /media/pi
total 20
drwxr-x---+ 5 pi   pi   4096 Apr 12  2024 .
drwxr-xr-x  3 root root 4096 Oct 21  2019 ..
drwx------  2 root root 4096 Feb 20  2023 data
drwx------  2 root root 4096 Feb 20  2023 data1
drwxr-xr-x  9 pi   pi   4096 Dec 13  2023 data2

root@backupPi:/media/pi/data1# ls -la
total 8
drwx------  2 root root 4096 Feb 20  2023 .
drwxr-x---+ 5 pi   pi   4096 Apr 12  2024 ..

... and all my stuff is in data2 (although it would have gone initially into /media/pi/data.) The + signifies ACL, according to https://unix.stackexchange.com/questions/92071 , but I can't find anything more about it. How has the + been added? How do I find out what the ACL involves?

I am an unpriviledged user A in the same group G as another unpriviledged user B. We want to share a directory. I want to create a shared folder, be it /tmp/shared. How do I set its rights? Seems I want to set 2770. But what does B prevent from creating a folder with 700 in there? Can I force full access to all files any user creates in my (!) folder I shared with them? And, of course, also full access for them. Does this even work with this rights model? If not, how do I do this with ACLs? As far as I understood, ACLs help me to prevent that B *accidentally* creates a file without granting me access, but does not prevent if B does it *intentionally*.