Annoying change in MacOS X 10.5+ Samba clients

So, my friend Jason asked me:

Why are my MacOS X 10.5+ Samba clients ignoring the “force create mode” and “force directory mode” settings for the share on my Samba server?

He was trying to setgid the directory and force files and directories to be group writable (i.e., “force create mode = 02770” and “force directory mode = 02770“), so that different users creating files and directories on the same share volume that belong to the same group can all write to to them. However, his MacOS X 10.5+ clients were able to ignore these settings somehow.

Turns out, this is a known issue:

The summary is that as of MacOS X 10.5 Leopard, its Samba client uses CIFS UNIX extensions to manipulate permissions, which Samba servers currently don’t enforce restrictions specified by the older “mode” settings. The work-around is to disable these CIFS UNIX extensions on the Samba server by putting “unix extensions = off” in the [global] section of your smb.conf file.

Comments

  1. Depending on how bleeding edge your friends default smb.conf was, see also the dangerous interaction between unix extensions and wide links in smb.conf which together can have nasty exploitable side effects.

  2. John Torres says:

    Awesome! I was doing some research on mac samba clients and I stumbled upon this link.

    Good reading.

    John

Speak Your Mind

*