[Samba] Restricting samba subfolder acl changes to admin users

[suresh.kandukuru at emc.com]

Volker I will send the log,
  why it does not matter here if user1 is owner of the subfolder and has read only access on it?.
my Q is though user1 has read only access on subfolder "testsubfldr", he is able to change it to the write , since user1 has write access on the share.
cannot samba disallow acl changes on the subfolder "testsufldr"  for the user user1  since has read access for it , though he has write access on the share?.

Thanks
Suresh
 

-----Original Message-----
From: Volker Lendecke [mailto:Volker.Lendecke at SerNet.DE] 
Sent: Friday, October 15, 2010 4:51 PM
To: Kandukuru, Suresh
Cc: samba at lists.samba.org; jra at samba.org
Subject: Re: [Samba] Restricting samba subfolder acl changes to admin users

On Fri, Oct 15, 2010 at 07:09:02AM -0400, suresh.kandukuru at emc.com wrote:
> once final Q is ,I have admin user in NAS . for a share
> "test" , he has given write access to user "user1 " and
> read access for a  subfolder -> "testsubdir" in share
> "test" .
> when user1 logged into share  "test",  he could not write
> into "testsubdir". obviously it is because he has read
> access on the folder an most restrictive access will be
> effective.
> 
> and the problem is since the user1 has write access to
> share , he is able to change the  read access on the sub
> folder by himself. why samba is allowing this ? since
> effectively user1 has read access on the sub folder
> "testsubdir" it should deny acl changes on that right?.

Who is the file owner of "testsubdir"? You can find out who
is the owner with the command "ls -ld testsubdir". If user1
is the owner, then it does not matter if user1 has only read
access. If user1 is not the owner, then we might have a bug
in Samba. Please send us your smb.conf configuration file
and a debug level 10 log of the smbd allowing this
operation.

Thanks in advance,

Volker Lendecke