[Samba] Proposal to allow owning group to edit ACLs.

Rhys Goodwin rhys.goodwin at gmail.com
Tue Jul 19 01:43:10 GMT 2005 

Great idea Jeremy,
 As far as ACls are concerned the more options the better.This option would 
add a great deal of flexabiltiy.
 Cheers,
Rhys

 On 7/19/05, Jeremy Allison <jra at samba.org> wrote: 
> 
> Hi all,
> 
> I've been spending some time with customers lately and I've
> discovered an interesting thing. Many IT departments completely delegate
> the settings on directory and file ACLs to the users who are interested
> in the data.
> 
> For example, on a given share for "Finance", the finance group is given
> full control on the containing directory (ie. they're allowed to set ACLs
> on everything within it) and are left alone to sort out their access
> control as they wish.
> 
> This is difficult on Samba with POSIX ACLs due to the fact that POSIX
> ACLs can only be changed by the owner of the file/directory or root.
> 
> Windows semantics allow the owner of a file/directory to always change
> the ACL (as does POSIX), but the difference is that under Windows a group
> can be the owner of a file/directory - with no user owner at all.
> 
> Now I know the correct way to fix this is full NT ACL semantics and
> we're moving towards that in the future but an easy stop-gap solution
> for us is a new parameter, so I'm proposing a new parameter called
> "acl group control". If set to True on a share then it would allow
> both the owning user and the *primary group owner* of a file or directory
> to change the ACL on it.
> 
> This would allow a "finance" group to be the primary POSIX group owner
> of a shared directory and then any member of that group could set
> ACLs on it, whether they were the actual user owner or not.
> 
> In conjunction with the ability to have group ownership of 
> files/directories
> in a directory inherited from the parent by setting the SETGID bit on the
> directory this should allow delegation of ACL control under Samba.
> 
> Please let me know what you think - it's easy to add to the current
> code but I'd like to get some user feedback before I do so.
> 
> Cheers,
> 
> Jeremy.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>

More information about the samba mailing list