Restrictive or relaxed file permissions

[CamaroLT]

Is the file permission system in Linux based systems a RESTRICTIVE permission based system, or a RELAXED permission based system for user:group access considerations only?

By this I mean does the kernel go by the most restrictive access a user:group has to gain appropriate access to the file in question, or does it go by the permission that gives the most access?

The reason I'm asking is as follows;

I've just setup a minimal install of Ubuntu and have a basic LAMPS system. I've been fighting with Samba, reconfiguring it, setting permissions to all out 777 permissions for both file and directory, but I just could NOT convince it to allow me to create files and directories via the share. However, I noted that I could change files if they already existed.

So I looked at the directory permission where the root samba share is and found that it was set for 570 with the appropriate user setup I want. I changed the permission to 777, which allowed me to create a directory. I then changed it to 770, and still was able to create a directory. However, when I went back to 570, I got permission failures.

I don't seem to have a samba "user" otherwise I would have given full permissions for that user and then given the

http://www-data

group read only access.

The thing that strikes me really odd is that I'm not blocked because of the no access for the "other" permission.

Can anyone shed some light on what is going on with this?

-=*=-=*=-=*=-=*=-=*=-=*=-=*=-=*=-=*=-=*=-=*=
NEVER send the boss to do a techs job

 

[SamBones]

They are called permissions because you cannot access a file or directory unless you match one of the permission bits that gives you access. If you don't have a permission bit set, you won't be able to access the file or directory.

Unless you are [tt]root[/tt], which can walk through wall, leap tall buildings, and generally do anything it wants.

 

[SamBones]

Oops, sorry, I responded after just reading the first couple lines.

SAMBA throws a whole other spin on things. There are actually three things you need to consider.

First, the permissions on the home directory should be 7xx, not 5xx. The owner should always have full permissions. You should also make sure the owner of the directories and files is actually the userid that is connecting via SAMBA.

Second, you need to make sure you have a umask set that matches your permission scheme. This is set in both the .profile for the account, and in the share definition for SAMBA. Setting it to 022 would give the owner control, and everyone else just access. Setting it to 002 would give owner and group full control, and others nothing. Keep in mind umask just controls the permissions given to anything created via the share.

Third, in the SAMBA config defining the share, it's best to have the permissions match what you want. That is, allowing full group and owner control and nothing to others (I think that's what you said you wanted).

It kind of follows the Windows model of the directories and files having their own owners and access permissions, and the access via the share defining their own permissions. They both have to let you get past to access the file or directory.