Samba 文件权限:Linux 服务器、Mac 客户端

tag-icon tag-icon linux macos permissions samba
Samba 文件权限:Linux 服务器、Mac 客户端

我在 Linux 服务器上运行 Samba,并从 Mac 客户端访问文件。通过 Samba 访问文件没有任何问题,但在 Mac 上,所有文件都显示为可执行权限集:rwx------。在服务器上,文件不可执行:rw-rw----

客户端显示的权限是在服务器上设置的还是在客户端上设置的?我该如何操作:

  1. 强制所有文件rw-------在客户端上,或
  2. 将权限从服务器传递给客户端?

答案1

权限已设置在服务器上并且 100% 依赖于 ACL。

您有两种选择来尝试解决您的问题。

第一个选项(可能更适合您的需要):尝试映射/匹配 Windows 和 Unix ACL。

编辑 SMB 服务器的smb.conf文件并将这些参数添加到以下[global]部分:

[global]
nt acl support = yes
acl map full control = no

上述两个参数将导致 SMB 服务器尝试映射/匹配 Windows 和 Unix ACL。

来自smb.conf手册页:

nt acl 支持 (S)

       This boolean parameter controls whether smbd(8) will attempt to map
       UNIX permissions into Windows NT access control lists. The UNIX
       permissions considered are the traditional UNIX owner and group
       permissions, as well as POSIX ACLs set on any files or directories.

acl 映射完全控制 (S)

       This boolean parameter controls whether smbd(8) maps a POSIX ACE
       entry of "rwx" (read/write/execute), the maximum allowed POSIX
       permission set, into a Windows ACL of "FULL CONTROL". If this
       parameter is set to true any POSIX ACE entry of "rwx" will be
       returned in a Windows ACL as "FULL CONTROL", is this parameter is
       set to false any POSIX ACE entry of "rwx" will be returned as the
       specific Windows ACL bits representing read, write and execute.

第二种选择(解决方法):为每个共享设置特定的 ACL。

简而言之,RWX(读取、写入和执行)参数由这些等效的 SMB 参数定义:

  • writeable = no相当于 R (只读)
  • writeable = yes相当于RW(读写)
  • acl allow execute always = trueacl allow execute always = yes相当于 X (执行)

为了设置所有共享的文件/文件夹权限,需要编辑服务器的smb.conf文件,然后添加此全局设置:

[global]
acl allow execute always = false
guest ok = no
writeable = yes
available = yes
browseable = yes
printable = no
locking = yes

...这将默认强制所有共享文件夹禁止执行文件(acl allow execute always = false)、禁止访客访问(guest ok = no)、允许读取和编辑/(重新)写入文件和文件夹(writeable = yes)、使所有共享可供远程(客户端)用户使用(available = yes)并使可用共享可见(browseable = yes)、禁止使用共享作为打印假脱机目录(printable = no)、并且在客户端向 SMB 服务器发送此类请求时强制锁定共享(locking = yes)。

来自smb.conf手册页:

acl 允许始终执行(S)

       This boolean parameter controls the behaviour of smbd(8) when
       receiving a protocol request of "open for execution" from a Windows
       client. With Samba 3.6 and older, the execution right in the ACL
       was not checked, so a client could execute a file even if it did
       not have execute rights on the file. In Samba 4.0, this has been
       fixed, so that by default, i.e. when this parameter is set to
       "False", "open for execution" is now denied when execution
       permissions are not present.

       If this parameter is set to "True", Samba does not check execute
       permissions on "open for execution", thus re-establishing the
       behaviour of Samba 3.6. This can be useful to smoothen upgrades
       from older Samba versions to 4.0 and newer. This setting is not
       meant to be used as a permanent setting, but as a temporary relief:
       It is recommended to fix the permissions in the ACLs and reset this
       parameter to the default after a certain transition period.

注意:如果acl allow execute always = false不奏效,请尝试acl allow execute always = no

客人同意 (S)

       If this parameter is yes for a service, then no password is
       required to connect to the service. Privileges will be those of the
       guest account.

       This parameter nullifies the benefits of setting restrict anonymous
       = 2

       See the section below on security for more information about this
       option.

可写 (S)

       Inverted synonym for read only.

只读(S)

       An inverted synonym is writeable.

       If this parameter is yes, then users of a service may not create or
       modify files in the service's directory.

       Note that a printable service (printable = yes) will ALWAYS allow
       writing to the directory (user privileges permitting), but only via
       spooling operations.

可用(S)

       This parameter lets you "turn off" a service. If available = no,
       then ALL attempts to connect to the service will fail. Such
       failures are logged.

可浏览 (S)

       This controls whether this share is seen in the list of available
       shares in a net view and in the browse list.

可打印(S)

       If this parameter is yes, then clients may open, write to and
       submit spool files on the directory specified for the service.

       Note that a printable service will ALWAYS allow writing to the
       service path (user privileges permitting) via the spooling of print
       data. The read only parameter controls only non-printing access to
       the resource.

锁定(S)

       This controls whether or not locking will be performed by the
       server in response to lock requests from the client.

       If locking = no, all lock and unlock requests will appear to
       succeed and all lock queries will report that the file in question
       is available for locking.

       If locking = yes, real locking will be performed by the server.

       This option may be useful for read-only filesystems which may not
       need locking (such as CDROM drives), although setting this
       parameter of no is not really recommended even in this case.

       Be careful about disabling locking either globally or in a specific
       service, as lack of locking may result in data corruption. You
       should never need to set this parameter.

相关内容