The "security mask" parameter
Jeremy Allison
jeremy at valinux.com
Wed May 9 22:51:18 GMT 2001
"MCCALL,DON (HP-USA,ex1)" wrote:
>
> I agree, Jeremy - it's certainly not something that you could implement on
> an NT server - not with DOS modes.
> Now, you COULD make a file readonly via ntacls, and restrict the
> creator/owner from changing those permissions, but I don't think we need to
> provide that outside of whatever acl support the underlying OS allows...
> Heck, you can't even do that to a UNIX user....
Actually, after talking with Gerald (who wants it to work
the way it did in 2.0.x), he's pointed out that it is actually
the "restrict acls with mask" parameter I added recently that
is the redundent parameter that should be removed.
If I set the security mask/dir security mask = 0777
and force security mode/force dir security mode = 0
and *always* apply these on ACL set, then we get exactly
the default behaviour we have now (no masks, user gets
exactly what they set in the ACL), but still provide
the capability for an admin to set masks on ACL sets
for user/group and world, without disturbing the create
masks.
Not that anyone actually uses these, as this was *completely*
broken in 2.2.0 :-) :-). But this is actually the more
generic solution (that 99.99999% of people will never need
to change :-).
Jeremy.
--
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------
More information about the samba-technical
mailing list