"Inherit Permissions" request for comments

Kyle Herbert kyleh at firstnetimpressions.com
Wed May 31 08:27:14 GMT 2000


   One more comment before I call it a night :-)

   We seem to be shying away from my original purpose in patching the code,
and getting into implementation specifics.  I'm surprised there hasn't been
more discussion regarding security and parallelism with NT.

   Based on the posts made thus far, I think we're agreeing that as a
default behavior it is not secure (for example) to inherit the group-owner's
write attribute without also inheriting the group-owner's GID.  It has been
pointed out, however, that this can be protected against by using setgid at
the operating system level or by implementing a new feature in Samba to do
so explicitly (inherit group owner = yes | no).  I question why the default
behavior should be something that needs to be protected against!

   The default behavior should be designed as securely as possible with
administrative flexibility available when required :-)  By default,
therefore, inheriting group-owner permissions implies inheriting group-owner
GID -- easily implemented inside Samba.

   The average Windows NT administrator won't typically know what "setgid"
bits are, let alone how to set them.  With the group-ownership handled by
Samba at the application level and not at the operating system level, no
future NT administrator will have to understand or work with the setgid bit.
It'll be transparent --- just a right-click on the Samba share or
sub-directory thereof and a change in the ownership; no logging into the
Samba server to do a chmod.  (This is futuristically speaking, of course,
but you can see why I am not a proponent of the operating system based
solution.)  I also don't relish the task of stripping off the setgid bits
and doing extra chowns as I administer shares from the Unix side.  There's
no equivalence for a setgid bit in Windows NT; why should it be required of
a drop-in Windows NT replacement server?

   Enough long-windedness for one night :-)

--Kyle



Kyle Herbert
Information Technology Director
First 'Net' Impressions, LLC




More information about the samba-technical mailing list