[Samba] Restricting samba subfolder acl changes to admin users

[Volker Lendecke]

On Fri, Oct 15, 2010 at 09:28:30AM -0400, suresh.kandukuru at emc.com wrote:
> why it does not matter here if user1 is owner of the
> subfolder and has read only access on it?.
> my Q is though user1 has read only access on subfolder
> "testsubfldr", he is able to change it to the write ,
> since user1 has write access on the share.
> cannot samba disallow acl changes on the subfolder
> "testsufldr"  for the user user1  since has read access
> for it , though he has write access on the share?.

Sorry, I'm lost here. Samba passes the Posix semantics of
chmod and setfacl 1:1 to the client. This means if you are
owner of the file and have general write access to the share
(not necessarily the file itself), chmod and getfacl are
allowed. This is just what Posix does. Quoting the susv3
definition for chmod:

> The application shall ensure that the effective user ID of
> the process matches the owner of the file or the process
> has appropriate privileges in order to do this.

This means that both the file owner or root can change an
ACL. To really understand what you mean, would it be
possible that you send your smb.conf file, an "ls -la"
of all subdirectories that participate?

If you really only want to allow setting ACLs for a very
limited set of users, one possibility would be to export the
same share twice. Once for administrators with an
appropriate "valid users = @administrators" (or so) line,
and another share with exactly the same path setting, but
with "nt acl support = no". This is a very brute-force way
of denying all ACL setting. As I tried to point out in
previous mails, I would however recommend to thoroughly test
this setting with the applications you want to support.

Jeremy, maybe you can be of more help?

My English is probably just too limited to really give a
precise enough description of how smbd does what it does.

Thanks,

Volker