[Samba] SeDiskOperatorPrivilege

samba.20.andwin at spamgourmet.com samba.20.andwin at spamgourmet.com
Fri Apr 11 11:32:29 MDT 2014 

Hi David,

many thanks for your detailed reply, it is very helpful. Please see my
comments inline below.

On Fri, Apr 11, 2014 at 6:54 PM, david.lloyd at fsmail.net
<samba.andwin.1ce7df1cf6.david.lloyd#fsmail.net at ob.0sg.net> wrote:
>
> 1) That is correct.  To modify the DACL on a file, a user must have "Full Control" or more specifically the "Change Permissions" access right to the file.  To avoid locking a file out completely, there is a get out of jail free that the *owner* of a file can always set the DACL.  So to change an arbitrary DACL you need to take ownership first.

Thanks, this makes perfectly sense to me now.

> Normally though, the Built-in Administrators group has "Full Control" of most files on a system, so I would guess that either that isn't the case for your files, or your Domain Administrators group is not in the Administrators group of your machine.

My misunderstanding was that the SeDiskOperatorPrivilege would give a
user the ability to change file DACLs regardless of current ownership
and permissions.
I've set up a new machine with the Samba 4.1.6 Member Server and I've
copied the files from the old machine via rsync to the new machine.
These files do have arbitrary owners now. My plan was to set up the
DACLs for these files and folders using the Windows dialogs. I guess I
will have to chown all of them to MYDOM\administrator to be able to do
this.

> 2) The File Share permission is an additional ACL for SMB network access to the machine.  The ACL on a file may be "Everyone Read/Write", but the ACL on the share maybe "Fred Read-Only".  If Fred logs into the machine, he can read and write the file.  If he accesses over the network from a remote machine he will only get read access.

a) 'If Fred logs into the machine': does this mean that Fred logs into
the Linux server running Samba as the Member Server and that in this
case the Share permissions do not apply?
b) 'If he accesses over the network': This is what usually happens at
our site. Does this mean that in this case the Share permissions
constitute an upper bound for all file/folder DACLs? Would it be
appropriate to apply 'Everyone Full Control' for the shares, given
that the DACLs are correctly set?

Best regards
Andreas

>
> The SeDiskOperatorPrivilege also allows a user to open new network shares, so it's pretty important to only give it to users who need it.
>
> Note that the above all applies to Windows, or over the Samba SMB network, rather than poking directly at the files from the Linux command-line...
>
> I hope that helps,
>
> David L

More information about the samba mailing list