[Samba] ACL's and Permission Control

Rob Thomas robhthomas at hotmail.com
Mon Mar 4 11:41:08 GMT 2002 

Hi,
I'm currently investigating implementing a Linux-Samba (RedHat 7.2 and Samba 
2.2.3a) based domain solution. I think I'm at the final hurdle which is to 
understand share and filesystem ACL's. I'm using Samba 2.2.3a compiled with 
ACL support and my shares reside on a partition with an XFS file system (ACL 
supported).

The Problem
Using the security mask and directory security mask parameters I can stop 
the standard u/g/w permissions from being changed on any file or directory 
for an entire share. However other user/group entries beyond the default 
u/g/w in my XFS ACL can be changed. Thus a user with "Write" access to a 
file or directory, they have created, can change the access for a user\group 
who would normally have "Read" access to "Write" and my security model is 
broken. This "Write" access is actually "Full Control" in NT terms as, from 
what I understand, just rwxd (Change) access can not be mapped correctly on 
to the XFS POSIX ACL.

Is this how Samba should function or have I just mis-configured my server? 
If this is how Samba functions currently then is this being looked at with a 
view to adding control of the changing of permissions for all groups\users 
entries within an ACL supported file systems?

Just for information I have set the "write" user group to have "Change" 
level access on both the share permissions, via Server Manager, and on the 
XFS ACL although this reverts to "Full Control" as mentioned above.

Work Around
I currently have a work around for this which is to compile Samba without 
ACL support yet still use XFS. This appears to allow the intended user 
access to the share via the XFS ACL yet stop all ACL entries being viewed by 
Windows clients, only the u/g/w is displayed. Changes to these u/g/w 
permissions can then be controlled for the share by using the standard 
security mask and directory security mask parameters. I haven't stress 
tested this configuration yet and comments on the reliability of this work 
around would be welcomed.

Any help would be appreciated.
Regards
Rob Thomas



_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

More information about the samba mailing list