Proposal to allow owning group to edit ACLs.

Jeremy Allison jra at
Wed Jul 20 16:25:24 GMT 2005

On Tue, Jul 19, 2005 at 09:51:36AM -0500, William Marshall wrote:
> jra writes:
> > For example, on a given share for "Finance", the finance group is given
> > full control on the containing directory (ie. they're allowed to set 
> ACLs
> > on everything within it) and are left alone to sort out their access
> > control as they wish.
> Here's how we've been setting things up. We have a finance group that 
> contains all the users, and then we have a finance_a group. (_a is for 
> admins) The users in finance_a have the ability to use a web page to 
> update the members in the finance group so we also allow them to update 
> ACLs as they want.
> [finance]
> writeable=yes
> admin users=@"mydomain\finance_a", @"mydomain\domain admins"
> path=/home/group/finance
> comment=[WHARVEY ] Finance Data
> > This would allow a "finance" group to be the primary POSIX group owner
> > of a shared directory and then any member of that group could set
> > ACLs on it, whether they were the actual user owner or not.
> To make sure I understand this part... 
> The files would be owned by the finance group instead of "domain users"? 

Yep. So long as you don't mind members of the finance group being
able to set their own ACLs.

It's committed in the SAMBA_3_0 code tree now if you want to test it.


More information about the samba-technical mailing list