Proposal to allow owning group to edit ACLs.
marc_kaplan at adaptec.com
Mon Jul 18 23:25:56 GMT 2005
I think this is really a great idea, and potentially a very valuable
feature as long as group acl control = false by default.
> -----Original Message-----
samba-technical-bounces+mkaplan=snapappliance.com at lists.samba.org
[mailto:samba-technical-bounces+mkaplan=snapappliance.com at lists.samba.or
> On Behalf Of Jeremy Allison
> Sent: Monday, July 18, 2005 3:48 PM
> To: samba-technical at samba.org
> Cc: samba at samba.org; jra at samba.org
> Subject: Proposal to allow owning group to edit ACLs.
> Hi all,
> I've been spending some time with customers lately and I've
> discovered an interesting thing. Many IT departments completely
> the settings on directory and file ACLs to the users who are
> in the data.
> For example, on a given share for "Finance", the finance group is
> full control on the containing directory (ie. they're allowed to set
> on everything within it) and are left alone to sort out their access
> control as they wish.
> This is difficult on Samba with POSIX ACLs due to the fact that POSIX
> ACLs can only be changed by the owner of the file/directory or root.
> Windows semantics allow the owner of a file/directory to always change
> the ACL (as does POSIX), but the difference is that under Windows a
> can be the owner of a file/directory - with no user owner at all.
> Now I know the correct way to fix this is full NT ACL semantics and
> we're moving towards that in the future but an easy stop-gap solution
> for us is a new parameter, so I'm proposing a new parameter called
> "acl group control". If set to True on a share then it would allow
> both the owning user and the *primary group owner* of a file or
> to change the ACL on it.
> This would allow a "finance" group to be the primary POSIX group owner
> of a shared directory and then any member of that group could set
> ACLs on it, whether they were the actual user owner or not.
> In conjunction with the ability to have group ownership of
> in a directory inherited from the parent by setting the SETGID bit on
> directory this should allow delegation of ACL control under Samba.
> Please let me know what you think - it's easy to add to the current
> code but I'd like to get some user feedback before I do so.
More information about the samba-technical