[Samba] ACLs under Samba 3.3.0

Jeremy Allison jra at samba.org
Fri Jan 30 22:18:09 GMT 2009

On Fri, Jan 30, 2009 at 05:08:14PM -0500, Ryan B. Lynch wrote:
> I tested this about four weeks ago, comparing operations from Windows  
> clients against our Samba 3.2.7 server and another machine running a  
> 3.3.0 pre-release checkout.  The ACL rights assignments did appear to be  
> different, but I believe that the actual results were different, too.
> That is to day, a Windows user could delete, rename, or take ownership  
> of a file/directory on which that user had UNIX 'rwx' rights, but only  
> on 3.2.7.  This didn't work on 3.3.0.

The difference in 3.2.x and 3.3.x here is that for deleting or
renaming a file 3.2.x uses the request :

can_access_file_acl(conn, dname, &sbuf, FILE_WRITE_DATA);

whereas 3.3.x uses the more correct checks :

        if (can_access_file_acl(conn, dname, FILE_DELETE_CHILD)) {
                return true;

        return can_access_file_acl(conn, fname, DELETE_ACCESS);

This has probably tightened the restriction on who can do what
to be closer to the Windows access restrictions. This is intentional,
as I think the 3.2.x model was not correct (too permissive).

> But I want to be careful before I say I'm sure, because you (Jeremy)  
> certainly know this subject better than me.  I'm going to test those  
> same operations over the weekend, and I'll confirm whether it's just a  
> different appearance or whether it affects the actual operations.  I  
> will also turn the debug logging up to the max, and I'll attach that to  
> bug #6005 with an update.

> For our users, it's a requirement--the business process requires one  
> user to be able to rename, delete, etc. directory trees and files that  
> other users create.

So long as they have write access into the directory they should
be able to do this.


More information about the samba mailing list