[Samba] ACLs and file/directory access permissions

John H Terpstra jht at samba.org
Tue Apr 29 16:00:18 GMT 2003 

On Tue, 29 Apr 2003, Marek Bialoglowy wrote:

> Hello,
>
> I have a share [/projects] with multiple directories inside, each created
> for purpose of different projects. On Win2K I was able to specify users who
> were allowed to access particular directories and in some cases particular
> files (in case there is any secret file I was allowing access only to one
> person responsible for the project). I was wondering if it is possible to
> switch all server to Linux running 'samba' ? At the moment I don't think it
> is possible due to lack of proper ACLs. I need something controlling access
> to particular files/directories with specific user oriented access rights.
> Linux by default doesn't have any support of ACLs so it's not possible to do
> it from the system in any efficient and reasonable way (I don't know any
> stable enough ACLs solutions for Linux).
>
> What do you all think about it ? I believe samba should separate access
> control from Linux file system and implement advanced ACL functions.

Marek,

Your request seems so logical and the samba-team's apparent failure to
deliver this seems deficient and cruel!

Please rest assured that we are well aware of the issues and that we aim
to deliver what our users need and want. Linux/Unix does not have support
for MS Windows NT styled ACLs. Even with POSIX ACLs we have issues as
there is no 1:1 mapping of MS Windows NT to POSIX functionality. That
means that in implementing ACLs we have to make trade-offs.

You can use normal Unix/Linux user and group access controls to restrict
user access to files and directories.

You can set fully functional ACLs on shares (done using the NT4 Server
Manager, or through the Win2K MSC toolset). This one is now being
documented in the new Samba-HOWTO-Collection that will ship with
Samba-3.0.0.

What we are still trying to identify is how much of a limitation we really
have today. Granted that it would be nice to be able to set all
permissions using NT ACLs through the MS Windows File Manager, but is that
the ONLY way that is acceptable to our users? In fact, from a Unix/Linux
administrator's perspective is that the MOST efficient way to do it?

If you want "Proper ACLs" then you will need to make certain that the
underlying file system has them. Samba can invent yet more overhead. Samba
can make things more complex than they are. We CAN create a separate
database for EVERY file on the system and set ACLs in it. But that would
become a completely unmanagable nightmare at best, and more likely a total
disaster.

ACLs information has to be stored somewhere! If not in the file system
itself then in a separate database. If in a separate database then HOW do
we keep that database current with the files in the filesystem as
Unix/Linux users re-arrange files without using the MS Windows tools.

So if the lack of "Proper ACLs" is a real road block for you, may I ask
are you willing to take up your needs with those who are responsible for
the file systems that Samba sits on top of? If not, what do you want us to
do to make sure that your needs are met?

- John T.
-- 
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list