[Samba] Behavior of acl_xattr:ignore system acls = yes on a share
Rowland Penny
rpenny at samba.org
Wed Jan 31 10:19:45 UTC 2024
On Wed, 31 Jan 2024 10:09:53 +0100
Ralph Boehme via samba <samba at lists.samba.org> wrote:
> On 1/31/24 09:50, Peter Milesson via samba wrote:
> > The crucial problem here is, that Everyone (yes, really everyone)
> > can write to the root share.
>
> why don't you just change it? That's how it's supposed to work.
>
> -slow
>
It might be supposed to work that way, but it doesn't appear to do so.
When I logged into Windows and connected to a share that has
'acl_xattr:ignore system acls = yes' set and right clicked on its icon
in Explorer and selected 'Properties', I found that 'EVERYONE' was
listed. I removed 'EVERYONE', clicked 'Apply' then 'OK', which
completed without error. 'EVERYONE' is no longer listed on Windows, but
if I go to the machine that holds the share and run 'samba-tool ntacl
get /srv/acl3 --as-sddl', I get this:
O:S-1-22-1-0G:S-1-22-2-0D:AI(A;OICI;FA;;;S-1-22-1-0)(A;OICI;0x1200a9;;;DU)(A;OICI;0x1200a9;;;DU)(A;;FA;;;S-1-22-2-0)(A;;FA;;;S-1-22-2-0)(A;;FA;;;S-1-22-1-0)(A;;FA;;;WD)(A;OICIIO;FA;;;CO)(A;OICIIO;0x1200a9;;;S-1-22-2-0)(A;OICIIO;0x1200a9;;;CG)(A;OICIIO;0x1200a9;;;WD)
'WD' is Windows speak for 'EVERYONE'.
Rowland
More information about the samba
mailing list