Read and write list ordering
jra at samba.org
Fri Jul 22 23:17:31 UTC 2016
On Thu, Jul 21, 2016 at 11:16:29AM -0700, Justin Maggard wrote:
> On Thu, Jul 21, 2016 at 1:52 AM, Uri Simchoni <uri at samba.org> wrote:
> > On 07/20/2016 10:59 PM, Justin Maggard wrote:
> >> On Sun, Jul 17, 2016 at 04:00:15PM +0200, Volker Lendecke wrote:
> >>> On Sat, Jul 16, 2016 at 03:42:54PM -0700, Jeremy Allison wrote:
> >>>> Can we make such a change in a new major release ? i.e. would
> >>>> such a patch be acceptable in a 4.5.0 release - so long as it
> >>>> is fully documented in the release notes ?
> >>> No from my point of view. We need a fresh set of options for this.
> >>> This behaviour has been in Samba for so long, I've even put this into
> >>> a book I've written long ago. God knows how many setups we're going to
> >>> break.
> >> I'll live with whatever the final verdict is. I just want to first
> >> make sure that everyone is clear on what we'd actually be breaking
> >> though. There is exactly one case that would change behavior with my
> >> patch. That one case consists of a user populating "read list" with
> >> individual user accounts, then summarily overriding those entries by
> >> adding a group entry for a group that encompasses those users to
> >> "write list". It's hard for me to imagine anyone doing that
> >> intentionally. It seems more likely to me that there are many users
> >> out there with configurations that are less restrictive than they
> >> expect (which is, in fact, where the motivation for my patch came
> >> from).
> >> If we stick with the status quo, could we at least make the
> >> documentation more explicit about this peculiarity?
> >> -Justin
> > I read the following under "write list" in smb.conf.5:
> > """
> > Note that if a user is in both the read list and the write list then
> > they will be given write access.
> > """
> Right. That makes sense to somebody like you or me, who understands
> how the list gets evaluated. But many normal users think of "users"
> and a "groups" as different classes of accounts. So when the man page
> says "... if a user is in both ...", they may not infer that groups
> count just as much as users. I've worked with two such Samba users
> who were confused by that (even after sharing that exact sentence with
> them) just within the last month.
Would a doc update help ? Do you have time to write one ?
More information about the samba-technical