[Samba] SeDiskOperatorPrivilege

Stuart Naylor stuartiannaylor at thursbygarden.org
Sat Apr 12 20:31:49 MDT 2014 

I am not sure about SeDiskOperatorPrivilege

As I have ran through various setups

senet4.1.6 with ext4 /home

senet4.1.6 with btrfs /home

senet4.1.6 with btrfs subvolume /home

and various others of domain level and with or without rfc2307

With http://wiki.samba.org/index.php/ Setting_up_a_home_share I have never needed to set SeDiskOperatorPrivilege it works on all without being set. Unless it is now the default?

As soon as you enable server side copies IE declare vfs objects = btrfs

Things get a bit weird with the permissions.

Again with http://wiki.samba.org/index.php/ when setting the disk permissions for home no matter many how many times you try to delete the groups (everybody, creatorgroup and an unknown) they just reappear.
Also changes to the permissions of correct groups also doesn't.

Typically me, server side copies where the last thing I tried after successful attempts on plethora of setup configurations.

  

-----Original message-----
> From:Stuart Naylor <stuartiannaylor at thursbygarden.org>
> Sent: Friday 11th April 2014 20:58
> To: samba at lists.samba.org
> Subject: Re: [Samba] SeDiskOperatorPrivilege
> 
> 
> Its always a bit weird but user files are there own. The sysadmin in an M$ world can not snoop the md's files. Unless you take ownership.
> 
> I am having problems with privileges, not sure what I am doing wrong and it might be btrfs as a backend.
> 
> I can't remove the unix account or creator group or everyone. When I do the mysteriously return.
> 
> Anyone the same.
> 
> Going to knock up a few debian's with ext4 and btrfs and see if I can work out what causes the problem.
> 
>  
>  
> -----Original message-----
> > From:samba.20.andwin at spamgourmet.com <samba.20.andwin at spamgourmet.com>
> > Sent: Friday 11th April 2014 18:32
> > To: samba at lists.samba.org
> > Subject: Re: [Samba] SeDiskOperatorPrivilege
> > 
> > Hi David,
> > 
> > many thanks for your detailed reply, it is very helpful. Please see my
> > comments inline below.
> > 
> > On Fri, Apr 11, 2014 at 6:54 PM, david.lloyd at fsmail.net
> > <samba.andwin.1ce7df1cf6.david.lloyd#fsmail.net at ob.0sg.net> wrote:
> > >
> > > 1) That is correct.  To modify the DACL on a file, a user must have "Full Control" or more specifically the "Change Permissions" access right to the file.  To avoid locking a file out completely, there is a get out of jail free that the *owner* of a file can always set the DACL.  So to change an arbitrary DACL you need to take ownership first.
> > 
> > Thanks, this makes perfectly sense to me now.
> > 
> > > Normally though, the Built-in Administrators group has "Full Control" of most files on a system, so I would guess that either that isn't the case for your files, or your Domain Administrators group is not in the Administrators group of your machine.
> > 
> > My misunderstanding was that the SeDiskOperatorPrivilege would give a
> > user the ability to change file DACLs regardless of current ownership
> > and permissions.
> > I've set up a new machine with the Samba 4.1.6 Member Server and I've
> > copied the files from the old machine via rsync to the new machine.
> > These files do have arbitrary owners now. My plan was to set up the
> > DACLs for these files and folders using the Windows dialogs. I guess I
> > will have to chown all of them to MYDOM\administrator to be able to do
> > this.
> > 
> > > 2) The File Share permission is an additional ACL for SMB network access to the machine.  The ACL on a file may be "Everyone Read/Write", but the ACL on the share maybe "Fred Read-Only".  If Fred logs into the machine, he can read and write the file.  If he accesses over the network from a remote machine he will only get read access.
> > 
> > a) 'If Fred logs into the machine': does this mean that Fred logs into
> > the Linux server running Samba as the Member Server and that in this
> > case the Share permissions do not apply?
> > b) 'If he accesses over the network': This is what usually happens at
> > our site. Does this mean that in this case the Share permissions
> > constitute an upper bound for all file/folder DACLs? Would it be
> > appropriate to apply 'Everyone Full Control' for the shares, given
> > that the DACLs are correctly set?
> > 
> > Best regards
> > Andreas
> > 
> > >
> > > The SeDiskOperatorPrivilege also allows a user to open new network shares, so it's pretty important to only give it to users who need it.
> > >
> > > Note that the above all applies to Windows, or over the Samba SMB network, rather than poking directly at the files from the Linux command-line...
> > >
> > > I hope that helps,
> > >
> > > David L
> > 
> > 
> > 
> 
>

More information about the samba mailing list