Setting ACLs via Windows client

Charles Marcus CharlesM at Media-Brokers.com
Wed Sep 19 15:24:03 GMT 2001


Hi Anthony...

I'm gonna be experimenting with XFS and Samba in the next few weeks, and
wanted to confirm something...

I presume that if the 'user' in question was a member of the root group,
they could change any/all ACLs?

Thanks

charles

-----Original Message-----
From: samba-admin at lists.samba.org [mailto:samba-admin at lists.samba.org]On
Behalf Of Anthony J. Breeds-Taurima
Sent: Tuesday, September 18, 2001 11:38 PM
To: Michels, Gustavo [EES/BR]
Cc: samba at lists.samba.org
Subject: Re: Setting ACLs via Windows client


On Mon, 17 Sep 2001, Michels, Gustavo [EES/BR] wrote:

> A little question about ACLs; my test server is set up with XFS and has
> support for ACLs. I have built the latest samba cvs source with acl
support
> and as far as I can see from the configure results, acls were detected and
> were compiled.

<snip>

> Can anyone help me or tell me where I can find more detailed documentation
> on setting ACLs for Samba?

Okay, I'm not certain I understand you're environment completely BUT I am
fully able to set the ACL's on files (and dirs) from NT4.0/Win2k from the
owner
account.  ie it isn't enough to have write access to the file you must be
the
owner.

Try this
share /tmp via samba (only temporarily this is generally a bad idea.

[root at router /tmp]# touch acledfile
[root at router /tmp]# chown DOMAIN+USER1:DOMAIN+Domain\ Admins acledfile
[root at router /tmp]# chmod 0660 acledfile
[root at router /tmp]# getfacl acledfile
# file: acledfile
# owner: DOMAIN+USER1
# group: DOMAIN+Domain Admins
user::rw-
group::rw-
group:DOMAIN+Domain Admins:rw-
mask::rw-
other::---

Then from the NT4.0/Win2k machine (logged in as USER) try to modify the
ACL's.
it DOES work.

View the ACL,
[root at router /tmp]# getfacl acledfile
# file: acledfile
# owner: DOMAIN+USER1
# group: DOMAIN+Domain Admins
user::rw-
user:DOMAIN+USER3:rwx
group::rw-
group:DOMAIN+Domain Admins:rw-
mask::rw-
other::---

Then just change the owner to a different user note the is the _only_ change
you make
[root at router /tmp]# chown DOMAIN+USER2:DOMAIN+Domain\ Admins acledfile
[root at router /tmp]# getfacl acledfile
# file: acledfile
# owner: DOMAIN+USER2
# group: DOMAIN+Domain Admins
user::rw-
user:DOMAIN+USER3:rwx
group::rw-
group:DOMAIN+Domain Admins:rw-
mask::rw-
other::---

Now again on the NT4.0/Win2k workstation try to modify the ACL, it will
fail.  This
is to be expected

Does that kinda, clarify what you can do with ACL's ???


Yours Tony.

/*
 * "The significant problems we face cannot be solved at the
 * same level of thinking we were at when we created them."
 * --Albert Einstein
 */



--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba






More information about the samba mailing list