[Samba] Re: Full wNT/w2K ACL conformance

Dragan Krnic dkrnic at lycos.com
Wed Jun 18 14:39:08 GMT 2003 

>>The show-stopper right now is this: we need to be 
>>able to assign "real"  Full Control permissions: a 
>>user who has "Full control" on a directory  should
>>be able to Read, Write, eXecute ( of course) [ this 
>>can be easily achieved with ACLs ]  *plus*  being 
>>able to give away Full Control to other users too
>>[being able to override inherited ACLs would be a 
>>plus, too]. Is this feasible (remember smbd runs as 
>>root... )? Has somebody thought about implementing 
>>this ?

If you have Full Control over a directory (e.g. as
root, or own it or have rwx on it), you can give FC 
(rwx) to others. Is it perhaps the other way around, 
that you want to stop this delegation, unless an FC
EA explicitely allows it? I'm not sure if it can be
a show-stopper or if it really makes a difference.

>How about using one EA to map some Windows' 
>attributes ? Full Control, Archive ( though it can
>be emulated through ctime/atime/mtime ), Change 
>Only, come in a first pass over this.

Change Only? Uhm, you mean Erase Only? I wouldn't be
surprised if there's an M$ ACL with that name.

The EAs are apparently still a disputed novelty.

Some M$ ACLs make sense, but Archive bit is nonsense
and possibly much else. Consider the backslash, OK
it's a different ball game but still, consider the
backslash. Was there any need for it, given that
Unix slash was in existence for decades when DOS
came around? No, just like much of so called ACLs,
it is a way to lock the installed base away from 
recognized standards to proprietary captivity.

The way you put it, it looks like there are some
major problems standing in the way of migrations
to common standards, whereas it is my opinion that 
Samba is doing great by implementing sensible 
features in a standards-conforming way and offering
an efficient file and print service for a song.

Think about what really stops the show - the feature
or the perception. Think how M$ may use your letter
for FUD: "Samba is free but IT specialists complain 
they can't have full control of their data in 
practice".

>>I thought that maybe coding a wrapper around SecLib
>>could achieve this. Being quite fluent in C/C++ both 
>>in Un*x as well as Win32 I don't mind coding >>whatever tool is needed to achieve this, provided it 
>>is indeed possible. If not, some 
>>suggestions/comments ( or even an approximate 
>>timeline for implementation! ) would be more than 
>>welcome.
>
>Any comments on this??

My posting was only comments. But go ahead and do
it. Perhaps everyone will use it, once it's there.

Samba isn't perfect. The way default permissions get
replicated indiscriminately to subdirs and files is
one thing that could be improved. If you want to
ensure propagation of eXec (tresspassing) bit on 
directories, you eventually end up with Hidden,
System and Archive bits stuck to files and still
can't hide a directory or give it System attribute. 

But the problem is really only aesthetic.
Hidden can and is regularly overridden in the file 
browser properties box, Archive I couldn't care less 
about and the System bit has nothing to do in most of 
the shares, except perhaps in [profiles] where you 
don't need ACLs anyway. When I was migrating, everyone 
thought it was a sure show-stopper. Now after some 
hands-on experience and a little tweaking, the 
perception has changed and there is no problem.


____________________________________________________________
Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail!
http://login.mail.lycos.com/r/referral?aid=27005

More information about the samba mailing list