[Samba] Unexpected behaviour with ACL GROUP CONTROL

Roger Lucas roger at planbit.co.uk
Sun May 14 22:23:59 GMT 2006

Thanks for the (very) quick reply.

Is there any way to set it up so that the ACL for a file or folder can be
changed by any user who:
	- has explicit write access in the current ACL
	- is a member of a group that has write access in the current ACL

I am looking for an "intuitive" configuration so that if you have write
access to a file (via whatever ACLs) then you can write to the ACL as well
as to the file contents.

> -----Original Message-----
> From: Jeremy Allison [mailto:jra at samba.org]
> Sent: 14 May 2006 22:55
> To: Roger Lucas
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Unexpected behaviour with ACL GROUP CONTROL
> On Sun, May 14, 2006 at 10:21:20PM +0100, Roger Lucas wrote:
> >
> > What I found was that if I set the "ACL GROUP CONTROL = TRUE" setting in
> > SMB.CONF, then any user could change the ACL for a file/folder if they
> were
> > a member of the primary GID of the file/folder even if that primary GID
> did
> > not have write access.
> Yes, that's by design.
> > I checked the code in "source/smbd/posix_acls.c" and as far as I can
> tell it
> > only checks that the user is a member of the group that the file has as
> its
> > primary GID but it doesn't check that the primary GID also has write
> access
> > to the file.  You could, for example, have a "0700" set of UNIX access
> flags
> > and a user who was a member of the the primary GID could still change
> the
> > ACL.
> >
> > Is my understanding correct?
> > If it is, is there an known work-around?
> No - it treats anyone who is in the primary group owner as though
> they were the owner of the file. The owner of a file can change
> the ACL even if they don't have write access.
> This is how it's supposed to work (and does when a file is owned
> by a group on Windows).
> Jeremy.

More information about the samba mailing list