[Samba] Restricting samba subfolder acl changes to admin users

Volker Lendecke Volker.Lendecke at SerNet.DE
Thu Oct 14 00:25:39 MDT 2010


On Thu, Oct 14, 2010 at 12:54:59AM -0400, suresh.kandukuru at emc.com wrote:
>   What I noticed from the below example is , any user who
>   has write access to share are able to change sub folder
>   acls in it.  we don't want that. how to restrict this to
>   only admin users in NAS and  to AD administrator in
>   windows. ?.
> 
> Please help .
> 
> ----------------
> 
> 1)      Import user from W2K3 R2 Server and set up a secure share.  User has Read/Write access.
> 
> 2)      Create sub-folder and set Read .
> 
> 3)      Log in as user on Windows 7 workstation using AD users credentials.
> 
> 4)      Map to share and write files to share - OK as expected.
> 
> 5)      Change directory to sub-folder and write files to sub-folder - write denied as expected.
> 
> 6)      As AD user right click on sub-folder and enter properties, security.  Attempt to change R/O rights.  Successfully changed - Not expected behavior, only Administrator of NAS, Administrator of AD or member of AD Admin group should be able to change rights on secure sub-folders.

Assuming you're using pure posix ACLs, this is expected
behaviour. It is an artifact of Samba mapping Posix ACLs to
Windows ACLs, not enforcing additional restrictions on top
of it. Posix allows the owner of a directory to change its
ACL, probably this is what you see here.

Volker


More information about the samba mailing list