[Samba] Restricting samba subfolder acl changes to admin users

suresh.kandukuru at emc.com suresh.kandukuru at emc.com
Thu Oct 14 00:36:09 MDT 2010


Volker,
  Thanks for quick reponse.is there any way restrict to this .like instead of allowing all  who has write access on the share , to change subfolder acls in it. can we  allow only admin users in NAS and ad AD administrator in windows to do this?.

any workaround?.

Thanks again,
Suresh

-----Original Message-----
From: Volker Lendecke [mailto:Volker.Lendecke at SerNet.DE] 
Sent: Thursday, October 14, 2010 11:56 AM
To: Kandukuru, Suresh
Cc: samba at lists.samba.org
Subject: Re: [Samba] Restricting samba subfolder acl changes to admin users

On Thu, Oct 14, 2010 at 12:54:59AM -0400, suresh.kandukuru at emc.com wrote:
>   What I noticed from the below example is , any user who
>   has write access to share are able to change sub folder
>   acls in it.  we don't want that. how to restrict this to
>   only admin users in NAS and  to AD administrator in
>   windows. ?.
> 
> Please help .
> 
> ----------------
> 
> 1)      Import user from W2K3 R2 Server and set up a secure share.  User has Read/Write access.
> 
> 2)      Create sub-folder and set Read .
> 
> 3)      Log in as user on Windows 7 workstation using AD users credentials.
> 
> 4)      Map to share and write files to share - OK as expected.
> 
> 5)      Change directory to sub-folder and write files to sub-folder - write denied as expected.
> 
> 6)      As AD user right click on sub-folder and enter properties, security.  Attempt to change R/O rights.  Successfully changed - Not expected behavior, only Administrator of NAS, Administrator of AD or member of AD Admin group should be able to change rights on secure sub-folders.

Assuming you're using pure posix ACLs, this is expected
behaviour. It is an artifact of Samba mapping Posix ACLs to
Windows ACLs, not enforcing additional restrictions on top
of it. Posix allows the owner of a directory to change its
ACL, probably this is what you see here.

Volker



More information about the samba mailing list