Proposal to allow owning group to edit ACLs.
William Marshall
bmarsh at us.ibm.com
Tue Jul 19 14:51:36 GMT 2005
jra writes:
> For example, on a given share for "Finance", the finance group is given
> full control on the containing directory (ie. they're allowed to set
ACLs
> on everything within it) and are left alone to sort out their access
> control as they wish.
Here's how we've been setting things up. We have a finance group that
contains all the users, and then we have a finance_a group. (_a is for
admins) The users in finance_a have the ability to use a web page to
update the members in the finance group so we also allow them to update
ACLs as they want.
[finance]
writeable=yes
admin users=@"mydomain\finance_a", @"mydomain\domain admins"
path=/home/group/finance
comment=[WHARVEY ] Finance Data
> This would allow a "finance" group to be the primary POSIX group owner
> of a shared directory and then any member of that group could set
> ACLs on it, whether they were the actual user owner or not.
To make sure I understand this part...
The files would be owned by the finance group instead of "domain users"?
That would be fine and would clean up some things. We have to make sure we
set the default ACL to grant the default group no access to the files.
Bill Marshall
IBM Global Services Unix & Intel Servers
Rochester PC Server Team
Building 020-3, Rochester, MN
More information about the samba-technical
mailing list