Proposal to allow owning group to edit ACLs.

William Marshall bmarsh at
Tue Jul 19 14:51:36 GMT 2005

jra writes:

> For example, on a given share for "Finance", the finance group is given
> full control on the containing directory (ie. they're allowed to set 
> on everything within it) and are left alone to sort out their access
> control as they wish.

Here's how we've been setting things up. We have a finance group that 
contains all the users, and then we have a finance_a group. (_a is for 
admins) The users in finance_a have the ability to use a web page to 
update the members in the finance group so we also allow them to update 
ACLs as they want.

admin users=@"mydomain\finance_a", @"mydomain\domain admins"
comment=[WHARVEY ] Finance Data

> This would allow a "finance" group to be the primary POSIX group owner
> of a shared directory and then any member of that group could set
> ACLs on it, whether they were the actual user owner or not.

To make sure I understand this part... 

The files would be owned by the finance group instead of "domain users"? 

That would be fine and would clean up some things. We have to make sure we 
set the default ACL to grant the default group no access to the files.

Bill Marshall 
IBM Global Services Unix & Intel Servers
Rochester PC Server Team
Building 020-3, Rochester, MN

More information about the samba-technical mailing list