[Samba] Restricting samba subfolder acl changes to admin users

suresh.kandukuru at emc.com suresh.kandukuru at emc.com
Sun Oct 24 03:10:42 MDT 2010 

Just a reminder.

-----Original Message-----
From: Kandukuru, Suresh 
Sent: Tuesday, October 19, 2010 6:49 PM
To: 'jra at samba.org'; 'samba at lists.samba.org'
Cc: 'Volker.Lendecke at SerNet.DE'
Subject: RE: [Samba] Restricting samba subfolder acl changes to admin users


Jeremy did you get a chance to look at this . can you please pass your comments  on this.?

Thanks
Suresh


-----Original Message-----
From: Volker Lendecke [mailto:Volker.Lendecke at SerNet.DE] 
Sent: Monday, October 18, 2010 1:16 PM
To: Kandukuru, Suresh
Cc: jra at samba.org
Subject: Re: [Samba] Restricting samba subfolder acl changes to admin users

On Mon, Oct 18, 2010 at 12:12:55AM -0400, suresh.kandukuru at emc.com wrote:
> Thanks Jeremy and Volker. Clarified  some of points.still little bit confusion for me.
> so, in summary if a user can change ACL, if he has write acess on the share and the ownership on subfolders / files inside it.
> 
> here is is my test.
> 
> 1) created share "test" , given write access to it for "admin", "user1" users.
> 
> 2) connected to share with admin user and created sub folder "test_subfldr" in it. and given read access to user1 user
> .
> output of getfacl
> ------------
> root at storage:/mnt/soho_storage/samba/shares/SP0/test# getfacl test_subfldr/
> # file: test_subfldr/
> # owner: admin
> # group: users
> user::rwx
> user:user1:r-x
> group::rwx
> mask::rwx
> other::rwx
> default:user::rwx
> default:user:user1:r-x
> default:group::---
> default:mask::rwx
> default:other::---
> 
> root at storage:/mnt/soho_storage/samba/shares/SP0/test#
> ------------------
> 4) connected to test share with user1 , could not write into test_subfldr. and user1 has changed  acl settings  on test_subfldr to write access .
> why samba is allowing this? Though user1 has write access to share , he is not the  owner of test_subfldr/.(admin is the owner for this) . user1 effectivly has  read access on the test_subfldr.

This might actually be a bug. Maybe Samba believes the user
has write permissions due to the group having the w
permission? Which group is the user member of?

Jeremy, can this be a mis-mapping of Posix permissions to
NTFS ACLs in the "dos filemode" permission check?

Volker

More information about the samba mailing list