Thanks Jeremy and Volker. Clarified some of points.still little bit confusion for me. so, in summary if a user can change ACL, if he has write acess on the share and the ownership on subfolders / files inside it.
here is is my test. 1) created share "test" , given write access to it for "admin", "user1" users. 2) connected to share with admin user and created sub folder "test_subfldr" in it. and given read access to user1 user . output of getfacl ------------ r...@storage:/mnt/soho_storage/samba/shares/SP0/test# getfacl test_subfldr/ # file: test_subfldr/ # owner: admin # group: users user::rwx user:user1:r-x group::rwx mask::rwx other::rwx default:user::rwx default:user:user1:r-x default:group::--- default:mask::rwx default:other::--- r...@storage:/mnt/soho_storage/samba/shares/SP0/test# ------------------ 4) connected to test share with user1 , could not write into test_subfldr. and user1 has changed acl settings on test_subfldr to write access . why samba is allowing this? Though user1 has write access to share , he is not the owner of test_subfldr/.(admin is the owner for this) . user1 effectivly has read access on the test_subfldr. attached smb.conf for your reference. Thanks Suresh -----Original Message----- From: Jeremy Allison [mailto:[email protected]] Sent: Saturday, October 16, 2010 6:28 AM To: Kandukuru, Suresh Cc: [email protected]; [email protected]; [email protected] Subject: Re: [Samba] Restricting samba subfolder acl changes to admin users On Fri, Oct 15, 2010 at 07:09:02AM -0400, [email protected] wrote: > Got it Volker . Thanks . > > once final Q is ,I have admin user in NAS . for a share "test" , he has given > write access to user "user1 " and read access for a subfolder -> > "testsubdir" in share "test" . > when user1 logged into share "test", he could not write into "testsubdir". > obviously it is because he has read access on the folder an most restrictive > access will be effective. > > and the problem is since the user1 has write access to share , he is able to > change the read access on the sub folder by himself. why samba is allowing > this ? since effectively user1 has read access on the sub folder "testsubdir" > it should deny acl changes on that right?. You are confusing write access on a share ACL, with write access on a directory. If a user only has read access on a share ACL, he will only be able to read data on that share, no modifications to any files/folders or ACLs will be allowed. If a user has write access on a share ACL, then he can modify anything inside that share that the underlying filesystem gives him rights to do so (if you're using POSIX ACLs/permissions, not Windows ACLs). So, when you complain that user1 can change the permissions on a sub folder, look at the owner and permissions on that sub folder. If user1 has permission to write into the containing directory, he can modify anything within it (according to the POSIX specs.). Samba will override the POSIX permissions if "dos filemode" is set: See the smb.conf man page: dos filemode (S) The default behavior in Samba is to provide UNIX-like behavior where only the owner of a file/directory is able to change the permissions on it. However, this behavior is often confusing to DOS/Windows users. Enabling this parameter allows a user who has write access to the file (by whatever means, including an ACL permission) to modify the permissions (including ACL) on it. Note that a user belonging to the group owning the file will not be allowed to change permissions if the group is only granted read access. Ownership of the file/directory may also be changed. Note that using the VFS modules acl_xattr or acl_tdb which store native Windows as meta-data will automatically turn this option on for any share for which they are loaded, as they require this option to emulate Windows ACLs correctly. This might be what you're seeing. If you want the client to only see Windows ACLs, look into the "vfs objects = acl_xattr" option. There are a few bugs in it, which I've currently fixed for 3.6.0 (and am preparing a back port for the next 3.5.x release). Jeremy.
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
