[Samba] how to prevent users from modifying access rights

. listrcv at condor-werke.com
Fri Oct 29 15:14:47 GMT 2004

Gerald (Jerry) Carter schrieb:

> . wrote:
> |
> | Hi,
> |
> | how can I prevent users from modifying access rights on files and
> | directories on a share (on an ext3 partition with ACLs)?
> |
> | Users must be able to read from arbitrary directories on
> | the share  belonging to groups they are not members of, and
> | they must have write access to files belonging to other users
> | in the same group, sometimes to files/directories that are
> | owned by users of other groups. But they must not be able to
> | modify the access rights of files owned by users in the
> | same group; eventually it will be useful to deny
> | modifying access rights to all users.
> set all files to be owned by root :-)  and make sure that
> 'dos filemode = no'   That should do it.   (but give the
> user's the necessary write permissions).

Hmmmmm, the manpage says on ´dos filemode´:

 > The default behavior in Samba is to provide UNIX-like behavior where
 > only the owner of a file/directory is able to  change  the
 > permissions  on  it. [...]
 > Enabling this parameter allows a user who
 > has write access to the file (by whatever means) to modify the
 > permissions on it. Note that a user belonging to the group own­ing
 > the file will not be allowed to change permissions if the group is
 > only granted read access.­

There will be files like that:

directory-1	peter:staff
   |-- file-1	peter:staff
   |-- file-2    hubba:staff
   |-- file-3    elisa:users
   |-- file-4	laura:birds
   |-- subdir	elisa:users
     |-- file-A  elisa:users
     |-- file-B  hubba:staff
directory-2	hubba:staff
   |-- file-1	peter:staff
   |-- file-2    hubba:staff
   |-- file-3    elisa:users
   |-- file-4	laura:birds
   |-- subdir	elisa:users
     |-- file-A  elisa:users
     |-- file-B  hubba:staff

... and so on. Members of group ´staff´ must have RW access on _all_ 
files in directory-1, and some users of other groups must have that 
also. Other users must have read access to the directories, eventually 
excluding some of their contents.

Most of the directories (and groups) will represent departments of the 
organisation (if there isn´t a better solution). The problem is that I 
cannot get the users to stick to their designated directories :( They 
definitely want what I call ´chaotical access rights´ --- and I cannot 
figure how I could provide that, even with ACLs.

For ´peter´ of ´staff´ is the chief of the department directory-1 
represents/belongs to, I could (want) reasonably give ´peter´ of ´staff´ 
the right to modify access rights on directory-1 and anything it 
contains. But other users must not be able to modify the rights.

An alternative is to maintain the access rights myself, but I´d rather 
like to avoid that --- and it won´t work anyway because users creating 
files within the directories will thereby be able to set the rights on 
their files (unless I could somehow prohibit that). That is even the 
default behaviour (i. e. ´dos filemode = no´).

I´ve tried to use ´directory security mask´ and ´security mask´, but 
setting them to 0000 allows a user to change the rights exactly once 
(instead of denying any changes what was what I expected): When 
attempting to set any rights, the rights just get masked to 0000 and 
then are set on the file/directory --- thereby, any further access is 
effectively denied.

With ´dos filemode = yes´, any other users having write access to files 
in directories would be able to modify the access rights, but I do not 
want them to be able to.

Even our rather over-aged Netware server we´re going to migrate from, 
running Netware 3.2(!), can handle the demand of chaotical access rights 
without having to thing about it. I need that same capability on the new 
Linux server ...

It´s not that I would like such a thing, but I´m facing the demand. The 
answer to questions like ´Which users can access this directory?´ is 
always ´I don´t know, and that would be very difficult to find out ...´ 
          But at least, users cannot modify the access rights unless I 
allow them to. Having users modifying the rights would mean having no 
more control at all:

´Which users can access that directory?´ --- ´I don´t know, and that 
cannot be found out because users can grant access to anything 
theirselves whenever they want ...´, that´s somewhat fatal :) --- And my 
tests showed that users can even delete whole directories though I took 
off all their rights from them. This is very intricated ...


More information about the samba mailing list