1<HTML> 2<HEAD> 3<TITLE> 4[Chapter 5] 5.3 File Permissions and Attributes on MS-DOS and Unix</title><META NAME="DC.title" CONTENT=""><META NAME="DC.creator" CONTENT=""><META NAME="DC.publisher" CONTENT="O'Reilly & Associates, Inc."><META NAME="DC.date" CONTENT="1999-11-05T21:32:58Z"><META NAME="DC.type" CONTENT="Text.Monograph"><META NAME="DC.format" CONTENT="text/html" SCHEME="MIME"><META NAME="DC.source" CONTENT="" SCHEME="ISBN"><META NAME="DC.language" CONTENT="en-US"><META NAME="generator" CONTENT="Jade 1.1/O'Reilly DocBook 3.0 to HTML 4.0"></head> 5<BODY BGCOLOR="#FFFFFF" TEXT="#000000" link="#990000" vlink="#0000CC"> 6<table BORDER="0" CELLPADDING="0" CELLSPACING="0" width="90%"> 7<tr> 8<td width="25%" valign="TOP"> 9<img hspace=10 vspace=10 src="gifs/samba.s.gif" 10alt="Using Samba" align=left valign=top border=0> 11</td> 12<td height="105" valign="TOP"> 13<br> 14<H2>Using Samba</H2> 15<font size="-1"> 16Robert Eckstein, David Collier-Brown, Peter Kelly 17<br>1st Edition November 1999 18<br>1-56592-449-5, Order Number: 4495 19<br>416 pages, $34.95 20</font> 21<p> <a href="http://www.oreilly.com/catalog/samba/">Buy the hardcopy</a> 22<p><a href="index.html">Table of Contents</a> 23</td> 24</tr> 25</table> 26<hr size=1 noshade> 27<!--sample chapter begins --> 28 29<center> 30<DIV CLASS="htmlnav"> 31<TABLE WIDTH="515" BORDER="0" CELLSPACING="0" CELLPADDING="0"> 32<TR> 33<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="172"> 34<A CLASS="sect1" HREF="ch05_02.html" TITLE="5.2 Filesystem Differences"> 35<IMG SRC="gifs/txtpreva.gif" ALT="Previous: 5.2 Filesystem Differences" BORDER="0"></a></td><TD ALIGN="CENTER" VALIGN="TOP" WIDTH="171"> 36<B> 37<FONT FACE="ARIEL,HELVETICA,HELV,SANSERIF" SIZE="-1"> 38<A CLASS="chapter" REL="up" HREF="ch05_01.html" TITLE="5. Browsing and Advanced Disk Shares "> 39Chapter 5<br> 40Browsing and Advanced Disk Shares </a></font></b></td><TD ALIGN="RIGHT" VALIGN="TOP" WIDTH="172"> 41<A CLASS="sect1" HREF="ch05_04.html" TITLE="5.4 Name Mangling and Case"> 42<IMG SRC="gifs/txtnexta.gif" ALT="Next: 5.4 Name Mangling and Case" BORDER="0"></a></td></tr></table> <hr noshade size=1></center> 43</div> 44<blockquote> 45<div> 46<H2 CLASS="sect1"> 47<A CLASS="title" NAME="ch05-34062"> 485.3 File Permissions and Attributes on MS-DOS and Unix</a></h2><P CLASS="para">DOS was never intended to be a multiuser, networked operating system. Unix, on the other hand, was designed that way from the start. Consequently, there are inconsistencies and gaps in coverage between the two filesystems that Samba must not only be aware of, but also provide solutions for. One of the biggest gaps is how Unix and DOS handle permissions with files.</p><P CLASS="para"> 49Let's take a look at how Unix assigns permissions. All Unix files have read, write, and execute bits for three classifications of users: owner, group, and world. These permissions can be seen at the extreme left-hand side when a <CODE CLASS="literal"> 50ls</code> <CODE CLASS="literal"> 51-al</code> command is issued in a Unix directory. For example:</p><PRE CLASS="programlisting"> 52-rwxr--r-- 1 tom users 2014 Apr 13 14:11 access.conf </pre><P CLASS="para"> 53Windows, on the other hand, has four principal bits that it uses with any file: read-only, system, hidden, and archive. You can view these bits by right-clicking on the file and choosing the Properties menu item. You should see a dialog similar to <A CLASS="xref" HREF="ch05_03.html#ch05-76568"> 54Figure 5.6</a>.[<A CLASS="footnote" HREF="#ch05-pgfId-964268">1</a>] </p><BLOCKQUOTE CLASS="footnote"> 55<DIV CLASS="footnote"> 56<P CLASS="para"> 57<A CLASS="footnote" NAME="ch05-pgfId-964268">[1]</a> The system checkbox will probably be greyed for your file. Don't worry about that - you should still be able to see when the box is checked and when it isn't.</p></div></blockquote><H4 CLASS="figure"> 58<A CLASS="title" NAME="ch05-76568"> 59Figure 5.6: DOS and Windows file properties</a></h4><IMG CLASS="graphic" SRC="figs/sam.0506.gif" ALT="Figure 5.6"><P CLASS="para"> 60The definition of each of those bits follows:</p><DL CLASS="variablelist"> 61<DT CLASS="term">Read-only</dt><DD CLASS="listitem"> 62<P CLASS="para"> 63The file's contents can be read by a user but cannot be written to. </p></dd><DT CLASS="term">System</dt><DD CLASS="listitem"> 64<P CLASS="para"> 65This file has a specific purpose required by the operating system.</p></dd><DT CLASS="term">Hidden</dt><DD CLASS="listitem"> 66<P CLASS="para"> 67This file has been marked to be invisible to the user, unless the operating systems is explicitly set to show it.</p></dd><DT CLASS="term">Archive</dt><DD CLASS="listitem"> 68<P CLASS="para"> 69This file has been touched since the last DOS backup was performed on it.</p></dd></dl><P CLASS="para"> 70Note that there is no bit to specify that a file is executable. DOS and Windows NT filesystems identify executable files by giving them the extensions .EXE, .COM, .CMD, or .BAT.</p><P CLASS="para"> 71Consequently, there is no use for any of the three Unix executable bits that are present on a file in a Samba disk share. DOS files, however, have their own attributes that need to be preserved when they are stored in a Unix environment: the archive, system, and hidden bits. Samba can preserve these bits by reusing the executable permission bits of the file on the Unix side - if it is instructed to do so. Mapping these bits, however, has an unfortunate side-effect: if a Windows user stores a file in a Samba share, and you view it on Unix with the <CODE CLASS="literal"> 72ls</code> <CODE CLASS="literal"> 73-al</code> command, some of the executable bits won't mean what you'd expect them to.</p><P CLASS="para"> 74Three Samba options decide whether the bits are mapped: <CODE CLASS="literal"> 75map</code> <CODE CLASS="literal"> 76archive</code>, <CODE CLASS="literal"> 77map</code> <CODE CLASS="literal"> 78system</code>, and <CODE CLASS="literal"> 79map</code> <CODE CLASS="literal"> 80hidden</code>. These options map the archive, system, and hidden attributes to the owner, group, and world execute bits of the file, respectively. You can add these options to the <CODE CLASS="literal"> 81[data]</code> share, setting each of their values as follows:</p><PRE CLASS="programlisting"> 82[data] 83 path = /home/samba/data 84 browseable = yes 85 guest ok = yes 86 writeable = yes 87 map archive = yes 88 map system = yes 89 map hidden = yes</pre><P CLASS="para"> 90After that, try creating a file in the share under Unix - such as <CODE CLASS="literal"> 91hello.java</code> - and change the permissions of the file to 755. With these Samba options set, you should be able to check the permissions on the Windows side and see that each of the three values has been checked in the Properties dialog box. What about the read-only attribute? By default, Samba 2.0 sets this whenever a file does not have the Unix owner write permission bit set. In other words, you can set this bit by changing the permissions of the file to 555.</p><P CLASS="para"> 92We should warn you that the default value of the <CODE CLASS="literal"> 93map</code> <CODE CLASS="literal"> 94archive</code> option is <CODE CLASS="literal"> 95yes</code>, while the other two options have a default value of <CODE CLASS="literal"> 96no</code>. This is because many programs do not work properly if the archive bit is not stored correctly for DOS and Windows files. The system and hidden attributes, however, are not critical for a program's operation and are left to the discretion of the administrator.</p><P CLASS="para"> 97<A CLASS="xref" HREF="ch05_03.html#ch05-56404"> 98Figure 5.7</a> summarizes the Unix permission bits and illustrates how Samba maps those bits to DOS attributes. Note that the group read/write and world read/write bits do not directly translate to a DOS attribute, but they still retain their original Unix definitions on the Samba server. </p><H4 CLASS="figure"> 99<A CLASS="title" NAME="ch05-56404"> 100Figure 5.7: How Samba and Unix view the permissions of a file</a></h4><IMG CLASS="graphic" SRC="figs/sam.0507.gif" ALT="Figure 5.7"><DIV CLASS="sect2"> 101<H3 CLASS="sect2"> 102<A CLASS="title" NAME="ch05-pgfId-964095"> 1035.3.1 Creation masks</a></h3><P CLASS="para"> 104Samba has several options to help with file creation masks. File creation masks (or <I CLASS="firstterm"> 105umasks</i>) help to define the permissions a file or directory will receive at the time it is created. In Unix, this means that you can control what permissions a file or directory does not have when it is created. For files accessed from Windows, this means you can disable the read-only, archive, system, and hidden attributes of a file as well.</p><P CLASS="para"> 106For example, the <CODE CLASS="literal"> 107create</code> <CODE CLASS="literal"> 108mask</code> option will force the permissions of a file created by a Windows client to be at most 744:</p><PRE CLASS="programlisting"> 109[data] 110 path = /home/samba/data 111 browseable = yes 112 guest ok = yes 113 writeable = yes 114 create mask = 744</pre><P CLASS="para"> 115while the <CODE CLASS="literal"> 116directory</code> <CODE CLASS="literal"> 117mask</code> option shown here will force the permissions of a newly created directory to be at most 755:</p><PRE CLASS="programlisting"> 118[data] 119 path = /home/samba/data 120 browseable = yes 121 guest ok = yes 122 writeable = yes 123 directory mask = 755</pre><P CLASS="para"> 124Alternatively, you can also force various bits with the <CODE CLASS="literal"> 125force</code> <CODE CLASS="literal"> 126create</code> <CODE CLASS="literal"> 127mode</code> and <CODE CLASS="literal"> 128force</code> <CODE CLASS="literal"> 129directory</code> <CODE CLASS="literal"> 130mode</code> options. These options will perform a logical OR against the file and directory creation masks, ensuring that those bits that are specified will always be set. You would typically set these options globally in order to ensure that group and world read/write permissions have been set appropriately for new files or directories in each share.</p><P CLASS="para"> 131In the same spirit, if you wish to explicitly set the Unix user and group attributes of a file that is created on the Windows side, you can use the <CODE CLASS="literal"> 132force</code> <CODE CLASS="literal"> 133user</code> and <CODE CLASS="literal"> 134force</code> <CODE CLASS="literal"> 135group</code> options. For example:</p><PRE CLASS="programlisting"> 136[data] 137 path = /home/samba/data 138 browseable = yes 139 guest ok = yes 140 writeable = yes 141 142 create mask = 744 143 directory mask = 755 144 force user = joe 145 force group = accounting</pre><P CLASS="para"> 146These options actually assign a static Unix user and group to each connection that is made to a share. However, this occurs <EM CLASS="emphasis"> 147after</em> the client authenticates; it does not allow free access to a share. These options are frequently used for their side effects of assigning a specific user and group to each new file or directory that is created in a share. Use these options with discretion.</p><P CLASS="para"> 148Finally, one of the capabilities of Unix that DOS lacks is the ability to delete a read-only file from a writable directory. In Unix, if a directory is writable, a read-only file in that directory can still be removed. This could permit you to delete files in any of your directories, even if the file was left by someone else.</p><P CLASS="para"> 149DOS filesystems are not designed for multiple users, and so its designers decided that read-only means "protected against accidental change, including deletion," rather than "protected against some other user on a single-user machine." So the designers of DOS prohibited removal of a read-only file. Even today, Windows file systems exhibit the same behavior.</p><P CLASS="para"> 150Normally, this is harmless. Windows programs don't try to remove read-only files because they know it's a bad idea. However, a number of source-code control programs - which were first written for Unix - run on Windows and require the ability to delete read-only files. Samba permits this behavior with the <CODE CLASS="literal"> 151delete</code> <CODE CLASS="literal"> 152readonly</code> option. In order to enable this functionality, set the option to <CODE CLASS="literal"> 153yes</code>:</p><PRE CLASS="programlisting"> 154[data] 155 path = /home/samba/data 156 browseable = yes 157 guest ok = yes 158 writeable = yes 159 160 create mask = 744 161 directory mask = 755 162 force user = joe 163 force group = accounting 164 delete readonly = yes</pre></div><DIV CLASS="sect2"> 165<H3 CLASS="sect2"> 166<A CLASS="title" NAME="ch05-pgfId-964323"> 1675.3.2 File and Directory Permission Options</a></h3><P CLASS="para">The options for file and directory permissions are summarized in <A CLASS="xref" HREF="ch05_03.html#ch05-96508"> 168Table 5.5</a>; each option is then described in detail. </p><br> 169<TABLE CLASS="table" BORDER="1" CELLPADDING="3"> 170<CAPTION CLASS="table"> 171<A CLASS="title" NAME="ch05-96508"> 172Table 5.5: File and Directory Permission Options </a></caption><THEAD CLASS="thead"> 173<TR CLASS="row" VALIGN="TOP"> 174<TH CLASS="entry" ALIGN="LEFT" ROWSPAN="1" COLSPAN="1"> 175<P CLASS="para"> 176Option</p></th><TH CLASS="entry" ALIGN="LEFT" ROWSPAN="1" COLSPAN="1"> 177<P CLASS="para"> 178Parameters</p></th><TH CLASS="entry" ALIGN="LEFT" ROWSPAN="1" COLSPAN="1"> 179<P CLASS="para"> 180Function</p></th><TH CLASS="entry" ALIGN="LEFT" ROWSPAN="1" COLSPAN="1"> 181<P CLASS="para"> 182Default</p></th><TH CLASS="entry" ALIGN="LEFT" ROWSPAN="1" COLSPAN="1"> 183<P CLASS="para"> 184Scope</p></th></tr></thead><TBODY CLASS="tbody"> 185<TR CLASS="row" VALIGN="TOP"> 186<TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 187<P CLASS="para"> 188<CODE CLASS="literal"> 189map archive</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 190<P CLASS="para"> 191boolean</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 192<P CLASS="para"> 193Preserve DOS archive attribute in user execute bit (0100).</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 194<P CLASS="para"> 195<CODE CLASS="literal"> 196yes</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 197<P CLASS="para"> 198Share</p></td></tr><TR CLASS="row" VALIGN="TOP"> 199<TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 200<P CLASS="para"> 201<CODE CLASS="literal"> 202map system</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 203<P CLASS="para"> 204boolean</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 205<P CLASS="para"> 206Preserve DOS system attribute in group execute bit (0010).</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 207<P CLASS="para"> 208<CODE CLASS="literal"> 209no</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 210<P CLASS="para"> 211Share</p></td></tr><TR CLASS="row" VALIGN="TOP"> 212<TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 213<P CLASS="para"> 214<CODE CLASS="literal"> 215map hidden</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 216<P CLASS="para"> 217boolean</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 218<P CLASS="para"> 219Preserve DOS hidden attribute in world execute bit (0001).</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 220<P CLASS="para"> 221<CODE CLASS="literal"> 222no</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 223<P CLASS="para"> 224Share</p></td></tr><TR CLASS="row" VALIGN="TOP"> 225<TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 226<P CLASS="para"> 227<CODE CLASS="literal"> 228create mask (create mode)</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 229<P CLASS="para"> 230numeric</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 231<P CLASS="para"> 232Sets the maximum permissions for files created by Samba.</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 233<P CLASS="para"> 234<CODE CLASS="literal"> 2350744</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 236<P CLASS="para"> 237Share</p></td></tr><TR CLASS="row" VALIGN="TOP"> 238<TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 239<P CLASS="para"> 240<CODE CLASS="literal"> 241directory mask (directory mode)</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 242<P CLASS="para"> 243numeric</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 244<P CLASS="para"> 245Sets the maximum permissions for directories created by Samba.</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 246<P CLASS="para"> 247<CODE CLASS="literal"> 2480755</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 249<P CLASS="para"> 250Share</p></td></tr><TR CLASS="row" VALIGN="TOP"> 251<TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 252<P CLASS="para"> 253<CODE CLASS="literal"> 254force create mode</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 255<P CLASS="para"> 256numeric</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 257<P CLASS="para"> 258Forces the specified permissions (bitwise or) for directories created by Samba.</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 259<P CLASS="para"> 260<CODE CLASS="literal"> 2610000</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 262<P CLASS="para"> 263Share</p></td></tr><TR CLASS="row" VALIGN="TOP"> 264<TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 265<P CLASS="para"> 266<CODE CLASS="literal"> 267force directory mode</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 268<P CLASS="para"> 269numeric</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 270<P CLASS="para"> 271Forces the specified permissions (bitwise or) for directories created by Samba.</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 272<P CLASS="para"> 273<CODE CLASS="literal"> 2740000</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 275<P CLASS="para"> 276Share</p></td></tr><TR CLASS="row" VALIGN="TOP"> 277<TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 278<P CLASS="para"> 279<CODE CLASS="literal"> 280force group (group)</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 281<P CLASS="para"> 282string (group name)</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 283<P CLASS="para"> 284Sets the effective group for a user accessing this share.</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 285<P CLASS="para"> 286None</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 287<P CLASS="para"> 288Share</p></td></tr><TR CLASS="row" VALIGN="TOP"> 289<TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 290<P CLASS="para"> 291<CODE CLASS="literal"> 292force user</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 293<P CLASS="para"> 294string (username)</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 295<P CLASS="para"> 296Sets the effective username for a user accessing this share.</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 297<P CLASS="para"> 298None</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 299<P CLASS="para"> 300Share</p></td></tr><TR CLASS="row" VALIGN="TOP"> 301<TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 302<P CLASS="para"> 303<CODE CLASS="literal"> 304delete readonly</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 305<P CLASS="para"> 306boolean</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 307<P CLASS="para"> 308Allows a user to delete a read-only file from a writable directory.</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 309<P CLASS="para"> 310<CODE CLASS="literal"> 311no</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 312<P CLASS="para"> 313Share</p></td></tr></tbody></table><DIV CLASS="sect3"> 314<H4 CLASS="sect3"> 315<A CLASS="title" NAME="ch05-pgfId-961746"> 3165.3.2.1 create mask</a></h4><P CLASS="para"> 317The argument for this option is an octal number indicating which permission flags may be set at file creation by a client in a share. The default is 0755, which means the Unix owner can at most read, write, and optionally execute his or her own files, while members of the user's group and others can only read or execute them. If you need to change it for non-executable files, we recommend 0644, or <CODE CLASS="literal"> 318rw-r--r--</code>. Keep in mind that the execute bits may be used by the server to map certain DOS file attributes, as described earlier. If you're altering the create mask, those bits have to be part of the create mask as well.</p></div><DIV CLASS="sect3"> 319<H4 CLASS="sect3"> 320<A CLASS="title" NAME="ch05-pgfId-961749"> 3215.3.2.2 directory mask</a></h4><P CLASS="para"> 322The argument for this option is an octal number indicating which permission flags may be set at directory creation by a client in a share. The default is 0755, which allows everyone on the Unix side to at most read and traverse the directories, but allows only you to modify them. We recommend the mask 0750, removing access by world users.</p></div><DIV CLASS="sect3"> 323<H4 CLASS="sect3"> 324<A CLASS="title" NAME="ch05-pgfId-961751"> 3255.3.2.3 force create mode</a></h4><P CLASS="para"> 326This option sets the permission bits that Samba will force to be set when a file permission change is made. It's often used to force group permissions, mentioned previously. It can also be used to preset any of the DOS attributes we mentioned: archive (0100), system (0010), or hidden (0001). This option always takes effect after the <CODE CLASS="literal"> 327map</code> <CODE CLASS="literal"> 328archive</code>, <CODE CLASS="literal"> 329map</code> <CODE CLASS="literal"> 330system </code>, <CODE CLASS="literal"> 331map</code> <CODE CLASS="literal"> 332hidden</code>, and <CODE CLASS="literal"> 333create</code> <CODE CLASS="literal"> 334mask</code> options.</p><P CLASS="para"> 335Many Windows applications rename their data files to <EM CLASS="emphasis"> 336datafile.bak</em> and create new ones, thus changing their ownership and permissions so that members of the same Unix group can't edit them. Setting <CODE CLASS="literal"> 337force create mask = 0660</code> will keep the new file editable by members of the group.</p></div><DIV CLASS="sect3"> 338<H4 CLASS="sect3"> 339<A CLASS="title" NAME="ch05-pgfId-961753"> 3405.3.2.4 force directory mode</a></h4><P CLASS="para"> 341This option sets the permission bits which Samba will force when a directory permission change is made or a directory is created. It's often used to force group permissions, as mentioned previously. This option defaults to 0000, and can be used just like the <CODE CLASS="literal"> 342force</code> <CODE CLASS="literal"> 343create</code> <CODE CLASS="literal"> 344mode</code> to add group or other permissions if needed. This option always takes effect after the <CODE CLASS="literal"> 345map</code> <CODE CLASS="literal"> 346archive</code>, <CODE CLASS="literal"> 347map</code> <CODE CLASS="literal"> 348system</code>, <CODE CLASS="literal"> 349map</code> <CODE CLASS="literal"> 350hidden</code>, and <CODE CLASS="literal"> 351directory</code> <CODE CLASS="literal"> 352mask</code> options.</p></div><DIV CLASS="sect3"> 353<H4 CLASS="sect3"> 354<A CLASS="title" NAME="ch05-pgfId-961755"> 3555.3.2.5 force group</a></h4><P CLASS="para"> 356This option, sometimes called <CODE CLASS="literal"> 357group</code>, assigns a static group ID that will be used on all connections to a service after the client has successfully authenticated. This assigns a specific group to each new file or directory created from an SMB client.</p></div><DIV CLASS="sect3"> 358<H4 CLASS="sect3"> 359<A CLASS="title" NAME="ch05-pgfId-961757"> 3605.3.2.6 force user</a></h4><P CLASS="para"> 361The <CODE CLASS="literal"> 362force</code> <CODE CLASS="literal"> 363user</code> option assigns a static user ID that will be used on all connections to a service after the client has successfully authenticated. This assigns a specific user to each new file or directory created from an SMB client.</p></div><DIV CLASS="sect3"> 364<H4 CLASS="sect3"> 365<A CLASS="title" NAME="ch05-pgfId-961759"> 3665.3.2.7 delete readonly</a></h4><P CLASS="para">This option allows a user to delete a directory containing a read-only file. By default, DOS and Windows will not allow such an operation. You probably will want to leave this option turned off unless a program needs this capability; many Windows users would be appalled to find that they'd accidentally deleted a file which they had set read-only. In fact, even the Unix <CODE CLASS="literal"> 367rm</code> command will ask users if they really want to override the protection and delete read-only files. It's a good idea to have Samba be at least as cautious. </p></div><DIV CLASS="sect3"> 368<H4 CLASS="sect3"> 369<A CLASS="title" NAME="ch05-pgfId-961826"> 3705.3.2.8 map archive</a></h4><P CLASS="para"> 371The DOS archive bit is used to flag a file that has been changed since it was last archived (e.g., backed up with the DOS archive program.) Setting the Samba option <CODE CLASS="literal"> 372map</code> <CODE CLASS="literal"> 373archive</code> <CODE CLASS="literal"> 374=</code> <CODE CLASS="literal"> 375yes</code> causes the DOS archive flag to be mapped to the Unix execute-by-owner (0100) bit. It's best to leave this option on if your Windows users are doing their own backups, or are using programs that require the archive bit. Unix lacks the notion of an archive bit entirely. Backup programs typically keep a file that lists what files were backed up on what date, so comparing file modification dates serves the same purpose.</p><P CLASS="para"> 376Setting this option to <CODE CLASS="literal"> 377yes</code> causes an occasional surprise on Unix when a user notices that a data file is marked as executable, but rarely causes harm. If a user tries to run it, he or she will normally get a string of error messages as the shell tries to execute the first few lines as commands. The reverse is also possible; an executable Unix program looks like it hasn't been backed up recently on Windows. But again, this is rare, and is usually harmless. </p></div><DIV CLASS="sect3"> 378<H4 CLASS="sect3"> 379<A CLASS="title" NAME="ch05-pgfId-961836"> 3805.3.2.9 map system</a></h4><P CLASS="para"> 381The DOS system attribute is used to indicate files that are required by the operating system, and should not be deleted, renamed, or moved without special effort. Set this option only if you need to store Windows system files on the Unix file server. Executable Unix programs will appear to be non-removable special Windows files when viewed from Windows clients. This may prove mildly inconvenient if you want to move or remove one. For most sites, however, this is fairly harmless.</p></div><DIV CLASS="sect3"> 382<H4 CLASS="sect3"> 383<A CLASS="title" NAME="ch05-pgfId-961845"> 3845.3.2.10 map hidden</a></h4><P CLASS="para">DOS uses the hidden attribute to indicate that a file should not ordinarily be visible in directory listings. Unix doesn't have such a facility; it's up to individual programs (notably the shell) to decide what to display and what not to display. Normally, you won't have any DOS files that need to be hidden, so the best thing to do is to leave this option turned off.</p><P CLASS="para"> 385Setting this option to <CODE CLASS="literal"> 386yes</code> causes the server to map the hidden flag onto the executable-by-others bit (0001). This feature can produce a rather startling effect. Any Unix program that is executable by world seems to vanish when you look for it from a Windows client. If this option is not set, however, and a Windows user attempts to mark a file hidden on a Samba share, it will not work - Samba has no place to store the hidden attribute! </p></div></div></div></blockquote> 387<div> 388<center> 389<hr noshade size=1><TABLE WIDTH="515" BORDER="0" CELLSPACING="0" CELLPADDING="0"> 390<TR> 391<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="172"> 392<A CLASS="sect1" HREF="ch05_02.html" TITLE="5.2 Filesystem Differences"> 393<IMG SRC="gifs/txtpreva.gif" ALT="Previous: 5.2 Filesystem Differences" BORDER="0"></a></td><TD ALIGN="CENTER" VALIGN="TOP" WIDTH="171"> 394<A CLASS="book" HREF="index.html" TITLE=""> 395<IMG SRC="gifs/txthome.gif" ALT="" BORDER="0"></a></td><TD ALIGN="RIGHT" VALIGN="TOP" WIDTH="172"> 396<A CLASS="sect1" HREF="ch05_04.html" TITLE="5.4 Name Mangling and Case"> 397<IMG SRC="gifs/txtnexta.gif" ALT="Next: 5.4 Name Mangling and Case" BORDER="0"></a></td></tr><TR> 398<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="172"> 3995.2 Filesystem Differences</td><TD ALIGN="CENTER" VALIGN="TOP" WIDTH="171"> 400<A CLASS="index" HREF="inx.html" TITLE="Book Index"> 401<IMG SRC="gifs/index.gif" ALT="Book Index" BORDER="0"></a></td><TD ALIGN="RIGHT" VALIGN="TOP" WIDTH="172"> 4025.4 Name Mangling and Case</td></tr></table><hr noshade size=1></center> 403</div> 404 405<!-- End of sample chapter --> 406<CENTER> 407<FONT SIZE="1" FACE="Verdana, Arial, Helvetica"> 408<A HREF="http://www.oreilly.com/"> 409<B>O'Reilly Home</B></A> <B> | </B> 410<A HREF="http://www.oreilly.com/sales/bookstores"> 411<B>O'Reilly Bookstores</B></A> <B> | </B> 412<A HREF="http://www.oreilly.com/order_new/"> 413<B>How to Order</B></A> <B> | </B> 414<A HREF="http://www.oreilly.com/oreilly/contact.html"> 415<B>O'Reilly Contacts<BR></B></A> 416<A HREF="http://www.oreilly.com/international/"> 417<B>International</B></A> <B> | </B> 418<A HREF="http://www.oreilly.com/oreilly/about.html"> 419<B>About O'Reilly</B></A> <B> | </B> 420<A HREF="http://www.oreilly.com/affiliates.html"> 421<B>Affiliated Companies</B></A><p> 422<EM>© 1999, O'Reilly & Associates, Inc.</EM> 423</FONT> 424</CENTER> 425</BODY> 426</html> 427
