Jeremy did you get a chance to look at this . can you please pass your comments on this.?
Thanks Suresh -----Original Message----- From: Volker Lendecke [mailto:volker.lende...@sernet.de] Sent: Monday, October 18, 2010 1:16 PM To: Kandukuru, Suresh Cc: j...@samba.org Subject: Re: [Samba] Restricting samba subfolder acl changes to admin users On Mon, Oct 18, 2010 at 12:12:55AM -0400, suresh.kanduk...@emc.com wrote: > Thanks Jeremy and Volker. Clarified some of points.still little bit > confusion for me. > so, in summary if a user can change ACL, if he has write acess on the share > and the ownership on subfolders / files inside it. > > here is is my test. > > 1) created share "test" , given write access to it for "admin", "user1" users. > > 2) connected to share with admin user and created sub folder "test_subfldr" > in it. and given read access to user1 user > . > output of getfacl > ------------ > r...@storage:/mnt/soho_storage/samba/shares/SP0/test# getfacl test_subfldr/ > # file: test_subfldr/ > # owner: admin > # group: users > user::rwx > user:user1:r-x > group::rwx > mask::rwx > other::rwx > default:user::rwx > default:user:user1:r-x > default:group::--- > default:mask::rwx > default:other::--- > > r...@storage:/mnt/soho_storage/samba/shares/SP0/test# > ------------------ > 4) connected to test share with user1 , could not write into test_subfldr. > and user1 has changed acl settings on test_subfldr to write access . > why samba is allowing this? Though user1 has write access to share , he is > not the owner of test_subfldr/.(admin is the owner for this) . user1 > effectivly has read access on the test_subfldr. This might actually be a bug. Maybe Samba believes the user has write permissions due to the group having the w permission? Which group is the user member of? Jeremy, can this be a mis-mapping of Posix permissions to NTFS ACLs in the "dos filemode" permission check? Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba