On Sun, May 14, 2006 at 10:21:20PM +0100, Roger Lucas wrote: > > What I found was that if I set the "ACL GROUP CONTROL = TRUE" setting in > SMB.CONF, then any user could change the ACL for a file/folder if they were > a member of the primary GID of the file/folder even if that primary GID did > not have write access.
Yes, that's by design. > I checked the code in "source/smbd/posix_acls.c" and as far as I can tell it > only checks that the user is a member of the group that the file has as its > primary GID but it doesn't check that the primary GID also has write access > to the file. You could, for example, have a "0700" set of UNIX access flags > and a user who was a member of the the primary GID could still change the > ACL. > > Is my understanding correct? > If it is, is there an known work-around? No - it treats anyone who is in the primary group owner as though they were the owner of the file. The owner of a file can change the ACL even if they don't have write access. This is how it's supposed to work (and does when a file is owned by a group on Windows). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
