feature request / suggestion - ACL protection
peter.a.bryant at mainroads.qld.gov.au
peter.a.bryant at mainroads.qld.gov.au
Thu Feb 28 18:57:24 GMT 2002
Thanks for your reply.
Like I said, I don't understand the full technical implications of what I'm
asking
but, here's my answers to your questions...
>I can see a possible problem with this. Let's say you create a New Folder
>on the samba share, then change your mind and delete it. Then someone else
>happens to create a New Folder. Would you end up owning their folder, since
>the names are the same?
In this situation, I would want the ownership details of the folder to be
deleted
when the folder is deleted. Then when a new folder is created, new ownership
and access permissions would be "recorded" for the new folder.
>About your text file:
>> When the edited file is saved, ownership is transferred to the
>> person who edited the file. Also, access control settings for the
>> file are reset to a default setting.
>> This is a real problem, since in some cases it means that the
>> original owner of the file no longer has permission to edit the file.
>I don't know the original situation, so I could be off base here. But it
>seems like if the default ACL for a folder does not allow group access, and
>you're routinely having to change permissions to allow group access, you
>need to consider changing the default ACL. (Or the create mode, if you're
>not using ACLs.) Personally, I try not to comingle private and
>group-accessable files in the same folder; it's just too confusing and makes
>it too easy to make a mistake.
The main problem we are having with access control is this.
Say two people have access to a file because they are both members of a group.
Suppose this group is the primary group of Person A, and a secondary group of
Person B. Now, if Person B edits the file, it's group is set to whatever Person
B's
primary group is. This could mean that Person A no longer has access to the
file
if they are not a member of this group.
Does this make sense? Hope I explained it right.
As I said, I know there are ways to work around this.
Just wondering if Samba people had already considered tackling this problem.
Hope one of the gurus will get back to me on this.
Thanks for your advice with keeping private and group files separate.
-pete.
-----Original Message-----
From: peter.a.bryant at mainroads.qld.gov.au
[mailto:peter.a.bryant at mainroads.qld.gov.au]
Sent: Wednesday, February 27, 2002 9:46 PM
To: samba-technical at lists.samba.org
Subject: feature request / suggestion - ACL protection
I've just discovered that many popular applications (e.g. Word, Excel, WordPro,
Star Office...)
reset file ownership and access control settings when editing a file.
I know this is fairly common behaviour, and a few people have suggested ways to
work
around the problems it causes. (see attached text file) However it is obviously
logically incorrect
and a cause of some problems. I was wondering if a Samba parameter might be
developed
to correct this behaviour.
It seems to me that it might be possible to prevent this behaviour - at least
for files on Samba
shares - by making a note of original ownership & access control properties and
restoring them
when the file is re-written to the share. I'm not sure if this is practical or
not - I don't have any real
understanding of the technical side of this. However it seems to be a problem
which many people
wrestle with (see attachment)
Please, could someone from the development team (and anyone else) take a moment
to give me your thoughts
as to whether this feature is possible and / or desirable, and whether it might
be included in a future
release of Samba.
Please don't be too harsh if this seems like a silly request.
Any feedback is welcome
thanks
-peter.
***********************************************************************************************************
List: samba
Subject: [Samba] Windows changes file ownership & ACL's - any solution?
From: <peter.a.bryant at mainroads.qld.gov.au>
Date: 2002-02-18 3:45:09
We have a problem with file security settings changing when
a file is edited by someone who is not the owner.
When the edited file is saved, ownership is transferred to the
person who edited the file. Also, access control settings for the
file are reset to a default setting.
This is a real problem, since in some cases it means that the
original owner of the file no longer has permission to edit the file.
The problem occurs with many applications - Word, Excel, WordPro,
the Star Office editor, but not with Notepad or WordPad.
What seems to happen is that the applications create a copy of the
original document when opening the document. This copy has the
ownership of the current user and that users default access controls.
When the file is then saved, the original file is deleted and the copy
saved under the original name (along with the different owner and access
properties)
This behaviour seems incorrect to me, but apparently is quite standard
among applications.
I was wondering if there is currently a way to override this behaviour
via Samba?
If anyone else has experienced these problems I would like to hear about it
(even if you didn't get a solution)
Any input is welcome.
(We are currently running Samba 2.0.6 on Solaris 8 servers
with a mixture of Win NT, 2000 & XP clients.
Planning on upgrading to latest Samba soon.)
thanks
-peter.
-----------------------------------------------------------------------------------------------------------
List: samba
Subject: Re: [Samba] Windows changes file ownership & ACL's - any solution?
From: "Mats olsson" <mace2442 at hotmail.com>
Date: 2002-02-18 7:37:02
It's probobly as you says a application problem. I have seen the same with
NT4 servers
---------------------------------------------------------------------------------------------------------------
List: samba
Subject: Re: [Samba] Windows changes file ownership & ACL's - any solution?
From: Josh Konkol <susesambaboy at yahoo.com>
Date: 2002-02-18 14:21:18
I'm running SuSE 7.0, Samba 2.2.2 w/Winbind, Pam, on 2.2.20 Kernel w/ACL
Support.
I have just verified that I'm having this same problem. Exactly. I saved a
file on a Samba share, then I verified I was the owner. I then went to a
co-worker's computer and opened, edited, saved the file with M$ Word. Now
when I look at ownership, it is set to him as the owner and the permissions
are reset. When I follow the same steps using Notepad, the ownership and
permissions aren't changed.
Here are the settings for my share:
[share]
comment = Test Winbind Share
path = /mnt/share
create mask = 0777
browseable = Yes
writeable = yes
Here is the ACL for the file before I edited it with M$ Word.
linux10:/mnt/share # getfacl acltest.doc
# file: acltest.doc
# owner: DOMAIN+$ejwk
# group: DOMAIN+Domain Users
user::rwx
user:DOMAIN+I10201:rwx
group::rw-
mask::rwx
other::rw-
Here is the ACL for the file After I edited it with M$ Word.
linux10:/mnt/share # getfacl acltest.doc
# file: acltest.doc
# owner: DOMAIN+I10201
# group: DOMAIN+Domain Users
user::rwx
group::rw-
other::rw-
How do we work around this problem.
Anyone have any ideas or having the same problems ??
TIA
Josh Konkol
------------------------------------------------------------------------------------------------------
List: samba
Subject: Re: [Samba] Windows changes file ownership & ACL's - any solution?
From: John Benedetto <jbenedet at unm.edu>
Date: 2002-02-18 17:12:37
This is on the Windows side, but is not a 'problem' per se, more like
accepted normal activities; there is no 'fix' you can do on the client
side, you need to tweak your smb.conf file (play with stuff like the create
mode, and masks).
What is happening is that Word is making a new file while you are "editing"
the old one; when you save it, the old one is deleted, and the new one has
the same perms & stuff as if you had made a completely new file. (I think).
I would bet that this is NOT an MSOffice problem, as many high end 'real'
word processors follow similar approaches (notepad, of course, does not
count as a 'real' word processor :-).
If I am off-base here, I won't be offended at all if other people chime in!
I actually have a similar problem, too, but have not had time to finish
tweaking my Samba configuration.
- john
---------------------------------------------------------------------------------------------------------------------
List: samba
Subject: Re: [Samba] Windows changes file ownership & ACL's - any solution?
From: Gary Algier <gaa at ulticom.com>
Date: 2002-02-21 14:56:26
I believe your problem is with Word. It creates a new temp file, then deletes
the old and renames the temp file to the original name. As a test:
1) Create foo.doc. (With word).
2) Create foo.txt. (With notepad).
3) On the unix system:
ls -li foo.* Note the inode numbers, etc.
4) Edit each file with their respective editor.
5) On the unix system:
ls -li foo.* Did they change?
If so, there is no fix, unless there is a way to get Word to act correctly.
Josh Konkol wrote:
> I'm re-posting this only because I didn't get any responses before. ANY help
> is very much appreciated.
>
> I'm running SuSE 7.0, Samba 2.2.2 w/Winbind, Pam, on 2.2.20 Kernel w/ACL
> Support.
>
> I have just verified that I'm having this same problem. Exactly. I saved a
> file on a Samba share, then I verified I was the owner. I then went to a
> co-worker's computer and opened, edited, saved the file with M$ Word. Now
> when I look at ownership, it is set to him as the owner and the permissions
> are reset. When I follow the same steps using Notepad, the ownership and
> permissions aren't changed.
>
> Here are the settings for my share:
>
> [share]
> comment = Test Winbind Share
> path = /mnt/share
> create mask = 0777
> browseable = Yes
> writeable = yes
>
> Here is the ACL for the file before I edited it with M$ Word.
>
> linux10:/mnt/share # getfacl acltest.doc
> # file: acltest.doc
> # owner: DOMAIN+$ejwk
> # group: DOMAIN+Domain Users
> user::rwx
> user:DOMAIN+I10201:rwx
> group::rw-
> mask::rwx
> other::rw-
>
> Here is the ACL for the file After I edited it with M$ Word.
>
> linux10:/mnt/share # getfacl acltest.doc
> # file: acltest.doc
> # owner: DOMAIN+I10201
> # group: DOMAIN+Domain Users
> user::rwx
> group::rw-
> other::rw-
>
> How do we work around this problem.
>
> Anyone have any ideas or having the same problems ??
>
> TIA
>
> Josh Konkol
------------------------------------------------------------------------------------------------------------------
List: samba
Subject: RE: [Samba] Windows changes file ownership & ACL's - any solution
From: Noel Kelly <nkelly at tarsus.co.uk>
Date: 2002-02-21 15:05:13
I thought I had read a response to this. Went something like this:
Word (and lots of others such apps) do not actually deal with the original
file. They create a temporary file which overwrites the original when you
save the new document. The 'new' file of course inherits the new editor's
ownership.
Hope this helps you.
Noel
------------------------------------------------------------------------------------------------------------------
From: Josh Konkol [mailto:susesambaboy at yahoo.com]
Sent: Thursday, February 21, 2002 11:44 AM
To: Noel Kelly; samba at lists.samba.org
Subject: Re: [Samba] Windows changes file ownership & ACL's - any
solution ?
So then what good are ACL's if they're going to be overwritten each time the
file is accessed?
Am I the only one here to sees this as a real problem?
I'm ready to implement Samba full-force, but this IMHO is a big issue.
ANY feedback right now is appreciated
Josh
-------------------------------------------------------------------------------------------------------------------
List: samba
Subject: RE: [Samba] Windows changes file ownership & ACL's - any solution
From: David Brodbeck <DavidB at mail.interclean.com>
Date: 2002-02-21 16:53:36
[Download message RAW]
Does an NT server behave any differently?
My solution is to not rely on the owner being any particular user. Set
things up (either with default ACLs on the folders, or with 'force group'
and 'create mode') so that the proper people will always have group
read/write access to the files. This also lets you make sure that new files
will have the proper permissions.
For example, we might have an Engineering/R&D folder with default ACLs like
this:
DOMAIN+Engineering:rx
DOMAIN+R&D:rwx
Now every file and folder created in that directory will have read access
for people in the Engineering group, and read/write access for people in the
R&D group. The only time it matters who owns the file is if someone wants
to change the attributes or ACLs on it, since attributes and ACLs can only
be changed by the owner or by root.
-------------------------------------------------------------------------------------------------------------------
List: samba
Subject: RE: [Samba] Windows changes file ownership & ACL's - any solution
From: Noel Kelly <nkelly at tarsus.co.uk>
Date: 2002-02-22 8:29:09
That is exactly what we do. If you have an issue with only a single user
having rights to a set of files then ask them to create a new folder in
their shared area and they can change the ACLs to block access from others.
Noel
-----------------------------------------------------------------------------------------------------------
[Samba] samba and solaris-8 ACLs
Broun, Bevan brounb at adi-limited.com
Sun Feb 3 17:14:50 2002
Hi
I havent done a whole lot of testing yet, I want advice from the list
first. A production solaris-8 machine is using ACLs to give finer
permission control to files shared using samba (version 2.2.0).
The problem is that when ACLs are put on a file they are removed when a
window's user updates and saves the file. Is this fixable? Should the ACLs
only be put on directories? Is using ACLs a good idea at all?
TIA
BB
*******************************************************************************************************
************************************************************
Opinions contained in this e-mail do not necessarily reflect
the opinions of the Queensland Department of Main Roads,
Queensland Transport or National Transport Secretariat, or
endorsed organisations utilising the same infrastructure.
If you have received this electronic mail message in error,
please immediately notify the sender and delete the message
from your computer.
************************************************************
More information about the samba-technical
mailing list