I am running 3.0.22, with ACLs on an EXT3 file system. The system is "Debian stable" but has been upgraded to the 2.6.16.9 kernel.
I am setting up SAMBA share with Windows 2003 AD and would like any Windows user to be able to change the ACL for a file or folder if they are a member of a group that has write access to the file or folder in question. On first inspection it looked like the "ACL GROUP CONTROL" feature that arrived in 3.0.22 would help to solve this. What I found was that if I set the "ACL GROUP CONTROL = TRUE" setting in SMB.CONF, then any user could change the ACL for a file/folder if they were a member of the primary GID of the file/folder even if that primary GID did not have write access. I checked the code in "source/smbd/posix_acls.c" and as far as I can tell it only checks that the user is a member of the group that the file has as its primary GID but it doesn't check that the primary GID also has write access to the file. You could, for example, have a "0700" set of UNIX access flags and a user who was a member of the the primary GID could still change the ACL. Is my understanding correct? If it is, is there an known work-around? Thanks in advance, Roger -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
