Proposal to allow owning group to edit ACLs.

Jeremy Allison jra at
Mon Jul 18 22:47:31 GMT 2005

Hi all,

	I've been spending some time with customers lately and I've
discovered an interesting thing. Many IT departments completely delegate
the settings on directory and file ACLs to the users who are interested
in the data.

For example, on a given share for "Finance", the finance group is given
full control on the containing directory (ie. they're allowed to set ACLs
on everything within it) and are left alone to sort out their access
control as they wish.

This is difficult on Samba with POSIX ACLs due to the fact that POSIX
ACLs can only be changed by the owner of the file/directory or root.

Windows semantics allow the owner of a file/directory to always change
the ACL (as does POSIX), but the difference is that under Windows a group
can be the owner of a file/directory - with no user owner at all.

Now I know the correct way to fix this is full NT ACL semantics and
we're moving towards that in the future but an easy stop-gap solution
for us is a new parameter, so I'm proposing a new parameter called
"acl group control". If set to True on a share then it would allow
both the owning user and the *primary group owner* of a file or directory
to change the ACL on it.

This would allow a "finance" group to be the primary POSIX group owner
of a shared directory and then any member of that group could set
ACLs on it, whether they were the actual user owner or not.

In conjunction with the ability to have group ownership of files/directories
in a directory inherited from the parent by setting the SETGID bit on the
directory this should allow delegation of ACL control under Samba.

Please let me know what you think - it's easy to add to the current
code but I'd like to get some user feedback before I do so.



More information about the samba-technical mailing list