[Samba] Restricting samba subfolder acl changes to admin users

suresh.kandukuru at emc.com suresh.kandukuru at emc.com
Fri Oct 15 05:09:02 MDT 2010 

Got it Volker . Thanks .

once final Q is ,I have admin user in NAS . for a share "test" , he has given write access to user "user1 " and  read access for a  subfolder -> "testsubdir" in share "test" .
when user1 logged into share  "test",  he could not write into "testsubdir". obviously it is because he has read access on the folder an most restrictive access will be effective.

and the problem is since the user1 has write access to share , he is able to change the  read access on the sub folder by himself. why samba is allowing this ? since effectively user1 has read access on the sub folder "testsubdir" it should deny acl changes on that right?.


Thanks
Suresh


-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Volker Lendecke
Sent: Friday, October 15, 2010 2:27 PM
To: Kandukuru, Suresh
Cc: samba at lists.samba.org; jra at samba.org
Subject: Re: [Samba] Restricting samba subfolder acl changes to admin users

On Fri, Oct 15, 2010 at 02:07:55AM -0400, suresh.kandukuru at emc.com wrote:
> Thanks Volker. Adding Jeremy, as my manager told me that
> let samba team know that I am part of EMC lifeline team ..
> and some of team members discussed with Jeremy  regarding
> some other samba problems.
> 
> 
> Volker ,  if you don't mind can you elaborate this , if we
> make share offline , how the setting of acls goes through
> the samba source code.?

When you make a folder available offline, then when a user
comes back and re-synchronizes his data, then the client
will set ACLs. I'm not sure how it reacts when you deny
that. The setting of ACLs goes comes into the Samba source
code in source3/smbd/nttrans.c, there we have the function
called call_nt_transact_set_security_desc. From there we end
up in set_sd and via the VFS we call SMB_VFS_FSET_NT_ACL,
which is by default the function set_nt_acl() in
smbd/posix_acls.c.

Hope that helps,

Volker
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list