[Samba] prevent users to change rights ...

Dale Schroeder dale at BriannasSaladDressing.com
Thu Oct 23 12:14:07 MDT 2014 

Meike,

If you are referring to permission changes from a Windows machine, then 
"nt acl support = No" on the share will remove the Security tab from the 
file/directory properties window, making it impossible to change 
permissions via the GUI.

Dale


On 10/23/2014 7:49 AM, Meike Stone wrote:
> Hello,
>
> I want to prevent users to change file/directory rights and haven't
> found any possible solution.
> Setup:
> ---------
> * Samba 3.6.3
> * using LDAP for users an groups
>
> Config:
> ----------
>
>          workgroup = Samba
>          security = user
>
>          ldap admin dn = uid=samba_user,cn=admin,o=company,c=net
>          passdb backend = ldapsam:ldap://ldap01.company.net
>          ldap suffix = cn=users,o=company,c=net
>          ldap user suffix = cn=accounts
>          ldap group suffix = cn=groups
>          ldap passwd sync = No
>
>
> Requirements:
> ---------------------
> I have one share "projects". In the configured path for the share are
> different folders, for each project
> one folder.
> Each folder gets on creation two ACL's, a default ACL and the GUID bit:
> - one dedicated read/only group
> - one dedicated read/write group
>
> Example:
> getfacl Project_B
> # file: Project_B
> # owner: root
> # group: root
> # flags: -s-
> user::rwx
> group::rwx
> group:Project_B_W:rwx
> group:Project_B_R:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:group::rwx
> default:group:Project_B_W:rwx
> default:group:Project_B_R:r-x
> default:mask::rwx
> default:other::---
>
> In this groups are included the users, as defined by project owner.
>
> The complete setup is working well in different possible
> configurations, but I could not prevent the users (from write group)
> to change the ACLs in (a self created folder) underneath of the
> project folder.
>
> 1) If I configure a "normal" share, smbd will run with user rights. So
> all directories and files created by user are owned by him.
> The owner can change rights ...
>
> 2) If I configure "inherit owner = yes", the smbd is running as root
> and the owner (group/user) is inherited from project folder.
>    But the user connected to that share can change the rights as well.
> (this is also not the preferred solution, because nobody knows the
> creator)
>
> 3) Using "directory security mask", "force directory security mode" is
> not possible with different ALC's, because it bulldoze all permissions
> for the different ACL's to the same value ...
>
>
> Is there any possibility to prevent users to change rights in this context?
>
>
> Thanks Meike

More information about the samba mailing list