Kill Active SSH Session
Force close active SSH connections after a defined time interval
March 21, 2018
Azure Storage Explorer on Linux
April 25, 2019
Show all

Linux and CIFS files permissions

Since I spend almost every day working with the Azure Cloud, these days I’ve been playing around with the Azure File Share and Linux.

One of the 1st thing I found out while trying to document myself about this is that the most common questions people have related to SMB/CIFS are about permissions and permanence of the mount.

If you ever followed (I did) the guide in, after hiding your credentials part,  you probably noticed the command used to add your mount to the /etc/fstab at stept 5:

sudo bash -c 'echo "//<storage-account-name><share-name> <mount-point> cifs nofail,vers=<smb-version>,credentials=/etc/smbcredentials/<storage-account-name>.cred,dir_mode=0777,file_mode=0777,serverino" >> /etc/fstab'

Using the parameter “dir_mode=0777,file_mode=0777“, your are basically allowing everyone logged in to write files there.

And most likelly, like I did, you tried to change the ownership and permissions on the mount point:

sudo chown username:group -R /mysambashare
sudo chmod 770 -R /mysambashare

Guess what … nothing happened.

No error whatsoever, but the permissions and ownership remained unchanged.

So I got back to the man pages, wiki and all available search engines.. and found:

  • The files permission on CIFS filesystems cannot be changed post mount. The command to change the permissions will execute, provide no error, but will do no actual change.
  • The permissions can be set only during the mount process. The permissions will not be saved to the files! (unmount the share and mount it back with different permissions, you will see the new permissions on the files too).

  • If you mount the same share on another server with different permissions, those permissions will be valid too, at least as long the share is mounted.

Therefore, if you want your files to be accessed only by specific user from a specific group, then the above mount command should look like:

sudo bash -c 'echo "//<storage-account-name><share-name> <mount-point> cifs nofail,vers=<smb-version>,credentials=/etc/smbcredentials/<storage-account-name>.cred,uid=<userID>,gid=<groupID>,dir_mode=0770,file_mode=0770,serverino" >> /etc/fstab'

To find out the uid and gid values, just type:

$ id username


$ id azureuser
uid=1000(azureuser) gid=1000(azureuser) groups=1000(azureuser),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(lxd),114(netdev)

So, if I want a mount to that only azureuser can access and his primary group (in this case named azureuser also), your mount command to add the entry in /etc/ftsab should be like:

sudo bash -c 'echo "//<storage-account-name><share-name> <mount-point> cifs nofail,vers=<smb-version>,credentials=/etc/smbcredentials/<storage-account-name>.cred,uid=1000,gid=1000,dir_mode=0770,file_mode=0770,serverino" >> /etc/fstab'

If you need other accounts to have access to the same share, it’s enough to add the new accounts to the “azureuser” group:

$ sudo usermod -a -G azureuser new_account_name_here

This is by design and is nothing we can do to change this.

The behavior is caused by the way the CIFS implementation is done in Linux. Please take into account that CIFS is basically a hybrid way to connect to Windows Shares from Linux machines. The permissions on files are handled differently on the 2 systems.

As far I’m aware, there’s no intention in changing this from the CIFS developers (which is an Open Source Community) into the CIFS implementation.

Links to official CIFS page and documentation:

Marin Nedea
Marin Nedea
I'm passionate about open source software and technologies. In my spare time I build simple and functional websites from scratch, using PHP+HTML5+CSS3+MySQL and when I'm bored, I write simple PHP_CLI or bash scripts to play around on my Linux machine.

Comments are closed.