Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Issues wit ACLs

Featured Replies

I come from Synology, where I never had any issues with ACLs on SMB shares, so I don't really know the steps to resolve this problem.

 

Background:

I use a shared folder, which I access from my Windows 10 machine via SMB. I created one shared folder, named "Downloads" which is - as the name suggests - used for downloads. With archive files I run into issues, where I sometimes don't have the permission to extract, delete and execute a file or folder.

 

 

Example:

  1. I download this archive (https://cdn2.minitool.com/?p=pw&e=pwfree-64bit-portable) to the Downloads shared folder.
  2. With 7-Zip I right click it > extract to "pwfree-64bit-portable".
  3. The contents of the archive get extracted, except for one file. The error message says: "Cannot open output file: Permission denied : F:\pwfree-64bit-portable\partitionwizard.exe".

 

This file can be extracted to the same path where the zip archive is though. It's one of those files that can only be executed with an administrator account.

 

With other archives, I experienced the problem that I couldn't delete the archive files. Windows Explorer made it look like the file was deleted, but when I refreshed the folder, it was back again. The only way I could delete it was via shell.

 

Is there a solution to fix such issues for good? I don't wanna use the shell all the time, just because I can't do it in Windows.

Solved by Vexz

  • Community Expert

unraid uses nobody:users and 777 file permission.
Please stop all docker and run the tool > docker safe permission
this will set the chow and chmod for all files and folders...

You will need to set
 

chown nobody:users -R /mnt/users/*
chmod 777 -R /mnt/users/*


in samba this can be fixed by adding extra data per sahre as a file can be set to be fored to write as a user and gorup and/with creationing chomd permissions...

example share:
 

[Backups]
    browseable = yes
    case sensitive = Auto
    comment = ZFS Backup Core Services
    force group = users
    force user = nobody
    path = /mnt/user/Backups
    read only = No
    vfs objects = catia fruit streams_xattr
    fruit:encoding = native
    directory mask = 0777
    force directory mode = 0777
    create mask = 0777
    force create mode = 0777


is a share you can make by adding this to the smb extra setting with the array off
image.png.74dfc6facc18dd3301caee956920d824.png

That the offical way... If you conmfatlbe with editing samba and making your own config you can use a user script to acomplish this...

by stoping samba, removing the smb config and replacing it with one you make on the flash drive. and starting samba...
 

Edited by bmartino1
fix smaba share info for createmod, force user and directory mode for file access.

  • Community Expert

you can review:

on making you own smb config.


 

  • Author
11 hours ago, bmartino1 said:

unraid uses nobody:users and 777 file permission.
Please stop all docker and run the tool > docker safe permission
this will set the chow and chmod for all files and folders...

You will need to set
 

chown nobody:users -R /mnt/users/*
chmod 777 -R /mnt/users/*

 

Hmm, it has nothing to do with Docker in this case. On unRAID in the Tools menu I used the "New Permissions" tool to fix the permissions for the Downloads shared folder. It sets these permissions, but this sadly didn't help. 

 

11 hours ago, bmartino1 said:

in samba this can be fixed by adding extra data per sahre as a file can be set to be fored to write as a user and gorup and/with creationing chomd permissions...

example share:
 

[Backups]
    browseable = yes
    case sensitive = Auto
    comment = ZFS Backup Core Services
    force group = users
    force user = nobody
    path = /mnt/user/Backups
    read only = No
    vfs objects = catia fruit streams_xattr
    fruit:encoding = native
    directory mask = 0777
    force directory mode = 0777
    create mask = 0777
    force create mode = 0777


is a share you can make by adding this to the smb extra setting with the array off
image.png.74dfc6facc18dd3301caee956920d824.png

That the offical way... If you conmfatlbe with editing samba and making your own config you can use a user script to acomplish this...

by stoping samba, removing the smb config and replacing it with one you make on the flash drive. and starting samba...
 

Interesting. Thanks for the hint, I'll look into that later and report.

  • Author

Partial success.

 

I used your SMB configuration template and changed it a little to my liking.

[Global]
    browseable = yes
    case sensitive = auto
    force group = users
    force user = nobody
    path = /mnt/user
    comment =
    writable = yes
    read only = no
    guest ok = no
    vfs objects =
    directory mask = 0777
    force directory mode = 0777
    create mask = 0777
    force create mode = 0777

 

Extracting the archive with 7-Zip still fails, but I at least can delete the extracted folder. I tried PeaZIP instead of 7-Zip, just to test. With its smart extract feature I could extract the contents of the archive just fine. But now I have the ZIP archive, the Peazip setup EXE file and a partitionwizard.exe (the one that is the issue here) from another test, that I extracted from the ZIP archive after I applied the SMB configuration, that I can't delete via SMB now.

 

-rw-rw-rw- 1 nobody users   449776 Dec  2 12:25 partitionwizard.exe
-rwxrwxrwx 1 nobody users  9931824 Jan 22 07:17 peazip-10.2.0.WIN64.exe*
-rw-rw-rw- 1 nobody users 58597737 Jan 22 07:11 pwfree-64bit-portable.zip

 

I really don't get why the partitionwizard.exe and the pwfree-64bit-portable.zip just have rw-rw-rw- permissions. Also I don't get, why I can't delete any of these files via SMB. But I'd be more curious to know how not to run into such problems anymore.

 

Maybe @bmartino1 or someone else knows a way? Help is appreciated.

 

Edited by Vexz

  • Community Expert

for acl there is a difference for share permissions vs Unix permissions. you're seeing the UNIX permissions.
*You should relay keep the apple vfs objects... they are needed for smb...

You now need to run the chown and chomd to fix this. There are other smb options to map and use windows attributes...
 

chown nobody:users -R /mnt/users/
chmod 777 -R /mnt/users/

as then moving forward, samba will read write and use Unix 777 nobody:users...

your fighting unix inheriting permissions...

  • Author
8 hours ago, bmartino1 said:

*You should relay keep the apple vfs objects... they are needed for smb...

Hm, I'm not so sure about that, unless there's a specific reason unRAID needs this. The default value for "vfs objects =" is in fact just "vfs objects =" according to samba.org (https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#vfsobjects).

 

8 hours ago, bmartino1 said:

You now need to run the chown and chomd to fix this. There are other smb options to map and use windows attributes...
 

chown nobody:users -R /mnt/users/
chmod 777 -R /mnt/users/

as then moving forward, samba will read write and use Unix 777 nobody:users...

your fighting unix inheriting permissions...

As mentioned in one of my previous posts (https://forums.unraid.net/topic/185441-issues-wit-acls/#findComment-1515142) I ran unRAID's "New Permissions" tool, which fixes these permissions and ownerships recursively and I can confirm that the permissions are set correctly with "ls -l" from the shell. Still I run into issues like in my original post.

 

If you run a Windows machine, you could download the ZIP archive I linked in the original post and then follow these steps to see if it's the same for you:

  1. Download the ZIP directly on one of your SMB shares.
  2. Access that SMB share with Windows Explorer.
  3. Extract that ZIP file with 7-Zip. --> Extracting the "partitionwizard.exe" fails during this process with 7-Zip, but with PeaZIP it surprisingly works.
  4. If you successfully extracted the archive, run the "partitionwizard.exe".
  5. Close the Partition Wizard software.
  6. Now try to delete the extracted folder and ZIP file, it doesn't work (at least for me).

The permissions are unexpectedly "rw-rw-rw-" for both the ZIP and the folder. Yes, I could run the "New Permissions" fix tool to fix the permissions and then delete the files or just use the shell, but that is exactly what I should not have to do with these SMB.conf overrides.

  • Community Expert

if for instance you have a docker that sets it own permission for file access with a user form its container and run the new perm tool to set 777 nobody:user then the docker while override and not allow the acl to write this is similar with any service. the service should be stopped or off for the permission to apply... again there is a difference between share permission and Unix permissions... 

otherwise, you have set the proper windows / Unix share permission and windows has set that as a file permission for that executable.

at the very min vfs object for  acl_xatrib ...

per example...

    path = /mnt/user
    browseable = yes
    writable = yes
    read only = no
    guest ok = no
    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes
    create mask = 0770
    directory mask = 0770
    force create mode = 0660
    force directory mode = 0770

 

  • Author
4 hours ago, bmartino1 said:

if for instance you have a docker that sets it own permission for file access with a user form its container and run the new perm tool to set 777 nobody:user then the docker while override and not allow the acl to write this is similar with any service. the service should be stopped or off for the permission to apply... again there is a difference between share permission and Unix permissions... 

otherwise, you have set the proper windows / Unix share permission and windows has set that as a file permission for that executable.

at the very min vfs object for  acl_xatrib ...

per example...

    path = /mnt/user
    browseable = yes
    writable = yes
    read only = no
    guest ok = no
    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes
    create mask = 0770
    directory mask = 0770
    force create mode = 0660
    force directory mode = 0770

 

Now I added "vfs objects = acl_xattr" and "map acl inherit = yes". With PeaZip when I try to extract the archive it immediately gets deleted as soon as its done. With 7-Zip it's the same old behavior.

 

For some strange reason I can do everything directly in "/mnt/user/Downloads" but I only have read permissions for subfolders and files in subfolders (talking about Windows ACLs here). I can't set Windows ACLs, because when I try to apply my changes, it always says "permission denied".

 

Man, I feel like I've put hours into solving this problem and it won't just work. It's so frustrating.

Edited by Vexz

  • Community Expert

at this point its not unraid/linux side:

if running as 
directory mask = 0777 force directory mode = 0777 create mask = 0777 force create mode = 0777

anything samba is touching is full read write accesss.

What if you run the application ex 7zip as administrator. I wonder if this is a recent issue with lattest windows and how its handling share settings.

 

Edited by bmartino1
Typo

  • Community Expert

breakdown on smb options:

 

[Share]
    path = /mnt/user
    browseable = yes
    writable = yes
    read only = no
    guest ok = no
    force user = nobody
    force group = users
    create mask = 0777
    directory mask = 0777
    force create mode = 0777
    force directory mode = 0777
    inherit permissions = yes
    inherit acls = yes
    map archive = no
    vfs objects = acl_xattr

 

Explanation of Key Options

create mask and directory mask:

These ensure that files and directories are created with 777 permissions unless overridden by other settings.

force create mode and force directory mode:

These settings enforce specific permission bits (e.g., 777) regardless of what the client specifies.

inherit permissions:

Ensures new files and directories inherit the permissions of the parent directory.

inherit acls:

Makes sure new files and directories inherit ACLs from the parent directory.

force user and force group:

Ensures all files are owned by the specified user (nobody) and group (users).

map archive = no:

Prevents the archive attribute from interfering with permission enforcement.

vfs objects = acl_xattr:

Enables advanced permission handling and ensures compatibility with Windows ACLs.

so if your having isseus with the share its client side at that point...

  • Author

This is my configuration right now:

[Global]
    browseable = yes
    case sensitive = auto
    force group = users
    force user = nobody
    path = /mnt/user
    comment =
    writable = yes
    read only = no
    guest ok = no
    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes
    directory mask = 0777
    force directory mode = 0777
    create mask = 0777
    force create mode = 0777

 

I think the biggest problem is that I can't change Windows ACLs because of missing permissions to do that. I really don't know what to do about that.

 

Edit:

It's NOT Windows ACLs. As soon as I "chmod -R 777 <Subfolder of /mnt/user/Downloads>" I can delete the files inside that subfolder and the subfolder itself.

 

Edited by Vexz

  • Author
  • Solution

Anyway, I ran some commands on the CLI which was another step in the right direction:

 

chown -R nobody /mnt/user/Downloads

chgrp users /mnt/user/Downloads

chmod g+s /mnt/user/Downloads

setfacl -d -m u::rwx /mnt/user/Downloads
setfacl -d -m g::rwx /mnt/user/Downloads
setfacl -d -m o::rwx /mnt/user/Downloads

 

At least the files in the subfolders get rw-rw-rw- permissions now, and I can do with them whatever I want. The only thing that still causes problems is the thing when I extract files from an archive.

 

Thanks for the help and taking the time @bmartino1. You helped me quite a bit here. :)

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.