[Samba] Restricting samba subfolder acl changes to admin users

Jeremy Allison jra at samba.org
Mon Oct 25 16:16:26 MDT 2010

On Mon, Oct 18, 2010 at 12:12:55AM -0400, suresh.kandukuru at emc.com wrote:
> Thanks Jeremy and Volker. Clarified  some of points.still little bit confusion for me.
> so, in summary if a user can change ACL, if he has write acess on the share and the ownership on subfolders / files inside it.
> here is is my test.
> 1) created share "test" , given write access to it for "admin", "user1" users.
> 2) connected to share with admin user and created sub folder "test_subfldr" in it. and given read access to user1 user
> .
> output of getfacl
> ------------
> root at storage:/mnt/soho_storage/samba/shares/SP0/test# getfacl test_subfldr/
> # file: test_subfldr/
> # owner: admin
> # group: users
> user::rwx
> user:user1:r-x
> group::rwx
> mask::rwx
> other::rwx
> default:user::rwx
> default:user:user1:r-x
> default:group::---
> default:mask::rwx
> default:other::---
> root at storage:/mnt/soho_storage/samba/shares/SP0/test#
> ------------------
> 4) connected to test share with user1 , could not write into test_subfldr. and user1 has changed  acl settings  on test_subfldr to write access .
> why samba is allowing this? Though user1 has write access to share , he is not the  owner of test_subfldr/.(admin is the owner for this) . user1 effectivly has  read access on the test_subfldr.
> attached smb.conf  for your reference.

Ok, started to look at this. Thanks for your

What are the getfacl permissions on the folder:


I need to see the output from:

getfacl /mnt/soho_storage/samba/shares/SP0/test

and also please send me (privately if you wish)
a debug level 10 log from smbd when user1 connects
to the test share and changes the acl setting
on test_subfldr.



More information about the samba mailing list