Search code examples
javalinuxsamba

Is Java fully compatible when checking permissions on a samba mount?

I'm using

Files.isWritable(file)

in my Java application to check if I have permissions to modify file before modifying it.

This usually works okay but I had a customer complaining that although he had give full permission to his files it still wasn't working. The customers setup consisted of a remote linux drive mounted with Samba to his Windows machine, and my software was running on the Windows machine.

It turned out he had given full permissions to the folder and files for a particular user, but not the users group or anybody else on linux.

If he changed permissions on linux from 700 to 777 then it worked but I'm not sure that he should have to do that? windows permissions linux permissions

Is there a problem with Java when checking permissions on a samba mount

Solution

  • It depends.

    The access control mechanisms on UNIX and Windows have traditionally been different. Previously, as with samba3, you had a rather crude mapping between those permissions, which worked in the simpler cases, but had problems in the more difficult ones. You can find numerous tutorials, forum posts and mailing lists dealing with those special cases.

    Nowadays, things have gotten better, as there are Access Control Lists in NFSv4 style. The advantages are several:

    • It is like an interface: You have the same permission "ideas" for different systems and they implement their own file system dependent details, meaning you (or Java) just have to work with the high-level stuff.
    • It is much more flexible than the old basic UNIX permissions, incorporating things like create new file or create new subdirectory, detailed inheritance for files and/or directories, or deny and allow rules in combination.
    • Despite the name, it works not only with NFS version 4, but also with current Windows permissions, Solaris 10/illumos CIFS implementation on ZFS and samba4 on Linux systems (I believe).

    You normally use ACLFileAttributeView as stated in the short example:

     // lookup "joe"
 UserPrincipal joe = file.getFileSystem().getUserPrincipalLookupService()
     .lookupPrincipalByName("joe");

 // get view
 AclFileAttributeView view = Files.getFileAttributeView(file, AclFileAttributeView.class);

 // create ACE to give "joe" read access
 AclEntry entry = AclEntry.newBuilder()
     .setType(AclEntryType.ALLOW)
     .setPrincipal(joe)
     .setPermissions(AclEntryPermission.READ_DATA, AclEntryPermission.READ_ATTRIBUTES)
     .build();

 // read ACL, insert ACE, re-write ACL
 List<AclEntry> acl = view.getAcl();
 acl.add(0, entry);   // insert before any DENY entries
 view.setAcl(acl);

    In your case it would be sufficient to query the view from the second step for the permissions you like to examine. For a detailed overview, I like to use this documentation from Oracle - while the examples are from chmod, the permissions themselves are the same in Java (but there also exists the shorter JavaDoc for them, AclEntryPermission Enums).