[Samba] User can't access a share that he has full control of
Jeremy Allison
jra at samba.org
Tue Aug 22 20:34:36 GMT 2006
On Tue, Aug 22, 2006 at 11:43:31AM -0700, Ephi Dror wrote:
>
> However, frequently there are sub trees that need to be accessed by a
> particular user, and with the current semantics, you need to give more
> permissions than you might otherwise need to for the directories above
> the sub tree. The whole point of a share (or an NFS export) on a server
> is to be a direct point of access to clients.
>
> I didn't see how my change violate any POSIX security. It sounds to me
> so logic to give user permissions only from mount/export points and not
> for any directory leading to mount point.
It's POSIX. Allowing a user to traverse through a directory in
which they have '---' permissions violates POSIX security.
Think of this this way. You want to prohibit a user who you've
just fired from getting access to any area of the filesystem
below a certain point. You add a POSIX ACL of u:name:--- to the
top level directory and you're done. No need to hunt down any
individual permissions, at one stroke you've cut off a path
in the filesystem.
Windows does it differently by default (although it has a
user right that is granted by default that allows this - in
order for it to pass POSIX complience tests you have to
turn this right off). I'm not saying we won't implement
this right in the future but it's not as trivial as "always
doing stat calls as root".
Jeremy.
More information about the samba
mailing list