[Samba] prevent users to change rights ...
meike.stone at googlemail.com
Thu Oct 23 06:49:53 MDT 2014
I want to prevent users to change file/directory rights and haven't
found any possible solution.
* Samba 3.6.3
* using LDAP for users an groups
workgroup = Samba
security = user
ldap admin dn = uid=samba_user,cn=admin,o=company,c=net
passdb backend = ldapsam:ldap://ldap01.company.net
ldap suffix = cn=users,o=company,c=net
ldap user suffix = cn=accounts
ldap group suffix = cn=groups
ldap passwd sync = No
I have one share "projects". In the configured path for the share are
different folders, for each project
Each folder gets on creation two ACL's, a default ACL and the GUID bit:
- one dedicated read/only group
- one dedicated read/write group
# file: Project_B
# owner: root
# group: root
# flags: -s-
In this groups are included the users, as defined by project owner.
The complete setup is working well in different possible
configurations, but I could not prevent the users (from write group)
to change the ACLs in (a self created folder) underneath of the
1) If I configure a "normal" share, smbd will run with user rights. So
all directories and files created by user are owned by him.
The owner can change rights ...
2) If I configure "inherit owner = yes", the smbd is running as root
and the owner (group/user) is inherited from project folder.
But the user connected to that share can change the rights as well.
(this is also not the preferred solution, because nobody knows the
3) Using "directory security mask", "force directory security mode" is
not possible with different ALC's, because it bulldoze all permissions
for the different ACL's to the same value ...
Is there any possibility to prevent users to change rights in this context?
More information about the samba