The "security mask" parameter

MCCALL,DON (HP-USA,ex1) don_mccall at hp.com
Thu May 10 13:31:10 GMT 2001


Well Mohammed,
You could put the files that you want to ALWAYS be readonly into a separate
share,
and use the 'read only = yes' share option on that share; then the user
would not 
be able to modify the permissions.
 
Hope this helps,
Don

-----Original Message-----
From: Mohammed_Maati at BIOGEN.COM [mailto:Mohammed_Maati at BIOGEN.COM]
Sent: Thursday, May 10, 2001 8:59 AM
To: Jeremy Allison
Cc: MCCALL,DON (HP-USA,ex1); samba at lists.samba.org;
'samba-technical at samba.org'
Subject: Re: The "security mask" parameter



I guess that this means that there is no way (in Samba with the parameter
"nt acl support" set to false) to prevent a user from taking off the read
only attribute (from his NT 4 box) of his files if I change them to read
only from the Unix box?
Thanks for your help.

Mohammed.






Jeremy Allison <jeremy at valinux.com>@valinux.com on 05/09/2001 06:51:18 PM

Sent by:  jeremy at valinux.com


To:   "MCCALL,DON (HP-USA,ex1)" <don_mccall at hp.com>
cc:   "'Mohammed_Maati at BIOGEN.COM'" <Mohammed_Maati at BIOGEN.COM>,
      samba at lists.samba.org, "'samba-technical at samba.org'"
      <samba-technical at samba.org>
Subject:  Re: The "security mask" parameter


"MCCALL,DON (HP-USA,ex1)" wrote:
>
> I agree, Jeremy - it's certainly not something that you could implement
on
> an NT server - not with DOS modes.
> Now, you COULD make a file readonly via ntacls, and restrict the
> creator/owner from changing those permissions, but I don't think we need
to
> provide that outside of whatever acl support the underlying OS allows...
> Heck, you can't even do that to a UNIX user....

Actually, after talking with Gerald (who wants it to work
the way it did in 2.0.x), he's pointed out that it is actually
the "restrict acls with mask" parameter I added recently that
is the redundent parameter that should be removed.

If I set the security mask/dir security mask = 0777
and force security mode/force dir security mode = 0
and *always* apply these on ACL set, then we get exactly
the default behaviour we have now (no masks, user gets
exactly what they set in the ACL), but still provide
the capability for an admin to set masks on ACL sets
for user/group and world, without disturbing the create
masks.

Not that anyone actually uses these, as this was *completely*
broken in 2.2.0 :-) :-). But this is actually the more
generic solution (that 99.99999% of people will never need
to change :-).

Jeremy.


--
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------






More information about the samba-technical mailing list