[Samba] prevent users to change rights ...

Meike Stone meike.stone at googlemail.com
Thu Oct 23 06:49:53 MDT 2014 

Hello,

I want to prevent users to change file/directory rights and haven't
found any possible solution.
Setup:
---------
* Samba 3.6.3
* using LDAP for users an groups

Config:
----------

        workgroup = Samba
        security = user

        ldap admin dn = uid=samba_user,cn=admin,o=company,c=net
        passdb backend = ldapsam:ldap://ldap01.company.net
        ldap suffix = cn=users,o=company,c=net
        ldap user suffix = cn=accounts
        ldap group suffix = cn=groups
        ldap passwd sync = No


Requirements:
---------------------
I have one share "projects". In the configured path for the share are
different folders, for each project
one folder.
Each folder gets on creation two ACL's, a default ACL and the GUID bit:
- one dedicated read/only group
- one dedicated read/write group

Example:
getfacl Project_B
# file: Project_B
# owner: root
# group: root
# flags: -s-
user::rwx
group::rwx
group:Project_B_W:rwx
group:Project_B_R:r-x
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:Project_B_W:rwx
default:group:Project_B_R:r-x
default:mask::rwx
default:other::---

In this groups are included the users, as defined by project owner.

The complete setup is working well in different possible
configurations, but I could not prevent the users (from write group)
to change the ACLs in (a self created folder) underneath of the
project folder.

1) If I configure a "normal" share, smbd will run with user rights. So
all directories and files created by user are owned by him.
The owner can change rights ...

2) If I configure "inherit owner = yes", the smbd is running as root
and the owner (group/user) is inherited from project folder.
  But the user connected to that share can change the rights as well.
(this is also not the preferred solution, because nobody knows the
creator)

3) Using "directory security mask", "force directory security mode" is
not possible with different ALC's, because it bulldoze all permissions
for the different ACL's to the same value ...


Is there any possibility to prevent users to change rights in this context?


Thanks Meike

More information about the samba mailing list