[Samba] Re: Proposal to allow owning group to edit ACLs.

John Little jlittle_97 at yahoo.com
Tue Jul 19 15:12:24 GMT 2005 


> > From: Jeremy Allison <jra at samba.org>
> Subject: [Samba] Proposal to allow owning group to edit ACLs.
> CC: samba at samba.org, jra at samba.org
> Date: Mon, 18 Jul 2005 15:47:31 -0700
> To: samba-technical at samba.org
> 
> Hi all,
> 
> 	I've been spending some time with customers lately and I've
> discovered an interesting thing. Many IT departments completely
> delegate
> the settings on directory and file ACLs to the users who are
> interested
> in the data.
> 
> For example, on a given share for "Finance", the finance group is
> given
> full control on the containing directory (ie. they're allowed to set
> ACLs
> on everything within it) and are left alone to sort out their access
> control as they wish.
> 
> This is difficult on Samba with POSIX ACLs due to the fact that POSIX
> ACLs can only be changed by the owner of the file/directory or root.
> 
> Windows semantics allow the owner of a file/directory to always
> change
> the ACL (as does POSIX), but the difference is that under Windows a
> group
> can be the owner of a file/directory - with no user owner at all.
> 
> Now I know the correct way to fix this is full NT ACL semantics and
> we're moving towards that in the future but an easy stop-gap solution
> for us is a new parameter, so I'm proposing a new parameter called
> "acl group control". If set to True on a share then it would allow
> both the owning user and the *primary group owner* of a file or
> directory
> to change the ACL on it.
> 
> This would allow a "finance" group to be the primary POSIX group
> owner
> of a shared directory and then any member of that group could set
> ACLs on it, whether they were the actual user owner or not.
> 
> In conjunction with the ability to have group ownership of
> files/directories
> in a directory inherited from the parent by setting the SETGID bit on
> the
> directory this should allow delegation of ACL control under Samba.
> 
> Please let me know what you think - it's easy to add to the current
> code but I'd like to get some user feedback before I do so.
> 
> Cheers,
> 
> 	Jeremy.
> 

Jeremy,

While we try to avoid that practice at times it is easier to let the
departments do it.  Generally we set up the director or someone he
designates as the owner to handle it so that it doesn't fly out of
control. So yes that would be a useful feature for us and we could use
the departmental admin group to make the changes.

Regards,
John Little
Hendricks Regional Health

Happiness is understanding how things work.


		
__________________________________ 
Yahoo! Mail 
Stay connected, organized, and protected. Take the tour: 
http://tour.mail.yahoo.com/mailtour.html

More information about the samba mailing list