[Samba] Re: Proposal to allow owning group to edit ACLs.

David Collier-Brown David.Collier-Brown at Sun.COM
Tue Jul 19 12:07:07 GMT 2005



Jeremy Allison wrote:
> Hi all,
> 
> 	I've been spending some time with customers lately and I've
> discovered an interesting thing. Many IT departments completely delegate
> the settings on directory and file ACLs to the users who are interested
> in the data.

	Yes, that's an interpretation of "Need to Know", in which
	anyone who has a need to know can designate another person
	as needing to now.  This interpretation is avoided like
	the **plague** in Unix, where there is no higher-level
	"Mandatory Access Control" (MAC) to keep someone who
	isn't cleared from getting access to the data.

	In a MAC regime, a godlike person says "you passed the
	security check, you can work with data up to secret" and
	increases your authorization, then some individual says
	"you need to know", and changes an ACL to give you access.

> For example, on a given share for "Finance", the finance group is given
> full control on the containing directory (ie. they're allowed to set ACLs
> on everything within it) and are left alone to sort out their access
> control as they wish.

	And one assumes that anyone hired by finance passed the
	security check. Alas, a finance person might grant read to
	someone in marketing, and see a press release the next day
	with details that shouldn't be public (;-))

>				 I'm proposing a new parameter called
> "acl group control". If set to True on a share then it would allow
> both the owning user and the *primary group owner* of a file or directory
> to change the ACL on it.

	That's smart: could it optionally be set/overridden on a
	per-share basis, so the trusted groups could be controlled 
	at a fairly fine granularity?

--dave
-- 
David Collier-Brown,      | Always do right. This will gratify
Sun Microsystems, Toronto | some people and astonish the rest
davecb at canada.sun.com     |                      -- Mark Twain
(416) 263-5733 (x65733)   |


More information about the samba mailing list