On Fri, Oct 15, 2010 at 09:28:30AM -0400, [email protected] wrote: > why it does not matter here if user1 is owner of the > subfolder and has read only access on it?. > my Q is though user1 has read only access on subfolder > "testsubfldr", he is able to change it to the write , > since user1 has write access on the share. > cannot samba disallow acl changes on the subfolder > "testsufldr" for the user user1 since has read access > for it , though he has write access on the share?.
Sorry, I'm lost here. Samba passes the Posix semantics of chmod and setfacl 1:1 to the client. This means if you are owner of the file and have general write access to the share (not necessarily the file itself), chmod and getfacl are allowed. This is just what Posix does. Quoting the susv3 definition for chmod: > The application shall ensure that the effective user ID of > the process matches the owner of the file or the process > has appropriate privileges in order to do this. This means that both the file owner or root can change an ACL. To really understand what you mean, would it be possible that you send your smb.conf file, an "ls -la" of all subdirectories that participate? If you really only want to allow setting ACLs for a very limited set of users, one possibility would be to export the same share twice. Once for administrators with an appropriate "valid users = @administrators" (or so) line, and another share with exactly the same path setting, but with "nt acl support = no". This is a very brute-force way of denying all ACL setting. As I tried to point out in previous mails, I would however recommend to thoroughly test this setting with the applications you want to support. Jeremy, maybe you can be of more help? My English is probably just too limited to really give a precise enough description of how smbd does what it does. Thanks, Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
