Samba has several options to help with file creation masks. File creation masks (or
umasks) help to define the permissions a file or directory will receive at the time it is created. In Unix, this means that you can control what permissions a file or directory does not have when it is created. For files accessed from Windows, this means you can disable the read-only, archive, system, and hidden attributes of a file as well.
For example, the
create
mask option will force the permissions of a file created by a Windows client to be at most 744:
[data]
path = /home/samba/data
browseable = yes
guest ok = yes
writeable = yes
create mask = 744
while the
directory
mask option shown here will force the permissions of a newly created directory to be at most 755:
[data]
path = /home/samba/data
browseable = yes
guest ok = yes
writeable = yes
directory mask = 755
Alternatively, you can also force various bits with the
force
create
mode and
force
directory
mode options. These options will perform a logical OR against the file and directory creation masks, ensuring that those bits that are specified will always be set. You would typically set these options globally in order to ensure that group and world read/write permissions have been set appropriately for new files or directories in each share.
In the same spirit, if you wish to explicitly set the Unix user and group attributes of a file that is created on the Windows side, you can use the
force
user and
force
group options. For example:
[data]
path = /home/samba/data
browseable = yes
guest ok = yes
writeable = yes
create mask = 744
directory mask = 755
force user = joe
force group = accounting
These options actually assign a static Unix user and group to each connection that is made to a share. However, this occurs
after the client authenticates; it does not allow free access to a share. These options are frequently used for their side effects of assigning a specific user and group to each new file or directory that is created in a share. Use these options with discretion.
Finally, one of the capabilities of Unix that DOS lacks is the ability to delete a read-only file from a writable directory. In Unix, if a directory is writable, a read-only file in that directory can still be removed. This could permit you to delete files in any of your directories, even if the file was left by someone else.
DOS filesystems are not designed for multiple users, and so its designers decided that read-only means "protected against accidental change, including deletion," rather than "protected against some other user on a single-user machine." So the designers of DOS prohibited removal of a read-only file. Even today, Windows file systems exhibit the same behavior.
Normally, this is harmless. Windows programs don't try to remove read-only files because they know it's a bad idea. However, a number of source-code control programs - which were first written for Unix - run on Windows and require the ability to delete read-only files. Samba permits this behavior with the
delete
readonly option. In order to enable this functionality, set the option to
yes:
[data]
path = /home/samba/data
browseable = yes
guest ok = yes
writeable = yes
create mask = 744
directory mask = 755
force user = joe
force group = accounting
delete readonly = yes
