Operating System - OpenVMS

CIFS 1.1 ECO 1 PS006 default file permissions issue

Go to solution
Rodman S. Regier
Occasional Advisor

CIFS 1.1 ECO 1 PS006 default file permissions issue

Since upgrading to ECO1 PS006, we are encountering problems successfully
deleting or renaming files on CIFS shares. This is apparently due to PS006 enforcing
permission defaults unenforced by prior patch levels (PS002 specifically).

We would like to be able to create files from the Windows side
of a CIFS share that have the G:D OpenVMS permission enabled.
(Presuming that is the issue).

CIFS 1.1 ECO 1 PS006 release notes mention:

8. Allow ability to correctly set DELETE permission for owner/group/world
protection from Windows.

Alas, it does not mention the "knob" for controlling this behaviour
(presumably as an SMB.CONF parameter).
Jeremy Begg
Trusted Contributor

Re: CIFS 1.1 ECO 1 PS006 default file permissions issue

Hi Rodman,

We were running CIFS V1.1 with a few problems but all under control. We then installed ECO1 and it would be difficult to say this was a positive move.

Last week I installed PS006 and most of our problems have been fixed, but we did notice that there were a few issues with file protections.

CIFS engineering reckon that a directory with a DEFAULT_PROTECTION ACE will ensure that files created by Windows clients will get the desired protection, but our experience is that this is not correct. Instead we're using an ACE of the form
which does what we need. (We used to have them all over the place, but ECO1 couldn't cope with them and we put the DEFAULT_PROTECTION ACEs on instead. Now PS006 doesn't seem to respect *them*!)

They also said we suggested we could use a combination of 'force create mode' and 'force security mode' to ensure created files get the desired protection. This seems to be working well for our [homes] shares.

Note that one of the significant changes introduced in PS006 concerns DELETE access to files. Previously, the 'create mode' setting (and variants thereof) tied DELETE access to the 'WRITE' bit, i.e. if you enable WRITE access you also enabled DELETE access. In PS006 they've separated the two, and you have to specify DELETE access separately. The 'create mode' setting now has this signficance:

create mode = 0dogw

'd' = DELETE access (see below)
'o' = OWNER access
'g' = GROUP access
'w' = WORLD access

The DELETE access is a bitmask with the following values:

4 = OWNER can delete
2 = GROUP can delete
1 = WORLD can delete

So if you want (S:RWED,O:RWED,G:R,W:R) you would set

create mode = 04744

We also noticed that sometimes the protection assigned to a file was not quite as intended, and in some cases would 'flip' between two states each time a file was saved. We have since learned that a bug has been discovered in the processing of the mask values, and that this should be fixed in PS007.

Jeremy Begg