[Samba] Cannot change directory permissions
Felix Matouschek
felix.matouschek at vipco.de
Fri Aug 7 12:12:23 UTC 2015
Hi Rowland,
sorry, I hit the wrong reply button in the last answer.
So there is no other way than to use Windows ACLs?
I was told with our old systems (Samba 3 in non-domain mode) the behaviour I want to achieve was possible when only using ugo.
Greetings,
Felix
-----Ursprüngliche Nachricht-----
Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny
Gesendet: Freitag, 7. August 2015 13:48
An: sambalist
Betreff: Re: [Samba] Cannot change directory permissions
On 07/08/15 12:25, Felix Matouschek wrote:
> Hi Rowland,
>
>
> Regarding my permissions problem:
>
> Newly created files, no permission changes yet:
>
> ls -la:
> drwxrwx--- 3 fmatouschek vipco-users 4096 Aug 7 13:12 .
> drwxr-xr-x 55 root vipco-users 4096 Aug 4 10:12 ..
> drwxrwx--- 2 fmatouschek vipco-users 4096 Aug 7 13:11 Directory
> -rw-rw---- 1 fmatouschek vipco-users 0 Aug 7 13:12 File.txt
>
> getfacl:
> # file: .
> # owner: fmatouschek
> # group: vipco-users
> user::rwx
> group::rwx
> other::---
>
> Ticking "write protected" on properties (both file and directory):
>
> ls -la:
> drwxrwx--- 3 fmatouschek vipco-users 4096 Aug 7 13:17 .
> drwxr-xr-x 55 root vipco-users 4096 Aug 4 10:12 ..
> drwxrwx--- 2 fmatouschek vipco-users 4096 Aug 7 13:11 Directory
> -r--r----- 1 fmatouschek vipco-users 0 Aug 7 13:12 File.txt
>
> getfacl:
> # file: .
> # owner: fmatouschek
> # group: vipco-users
> user::rwx
> group::rwx
> other::---
>
> Using the security tab:
>
> ls -la:
> drwxrwx--- 3 fmatouschek vipco-users 4096 Aug 7 13:20 .
> drwxr-xr-x 55 root vipco-users 4096 Aug 4 10:12 ..
> drwxrwx---+ 2 fmatouschek vipco-users 4096 Aug 7 13:20 Directory
> -r--rwx---+ 1 fmatouschek vipco-users 0 Aug 7 13:20 File.txt
>
> getfacl:
> # file: .
> # owner: fmatouschek
> # group: vipco-users
> user::rwx
> group::rwx
> other::---
>
> # file: Directory/
> # owner: fmatouschek
> # group: vipco-users
> user::rwx
> user:fmatouschek:rwx
> group::rwx
> group:vipco-users:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:fmatouschek:r--
> default:group::---
> default:group:vipco-users:r--
> default:mask::rwx
> default:other::---
>
> # file: File.txt
> # owner: fmatouschek
> # group: vipco-users
> user::r--
> user:fmatouschek:r--
> group::r--
> group:vipco-users:r--
> mask::rwx
> other::---
>
> According to this output only ticking write-protected on properties of a file does exactly what I want.
>
> Any ideas?
>
> Greetings,
> Felix
>
>
Taking this back on list where it belongs.
OK, you seem to understand Unix permissions, but anyway for those who don't:
Unix permissions are based on user:group: other AKA ugo. these are expressed as the letters r w x , r means read, w means write, x means execute if a file and enter if it is a directory. these can be set with chmod and you can use the letters or numbers 1-7, to set to allow all permissions you could use chmod 777 /path/to/dir
Now we have that out of the way, I can tell you that no member of Domain Admins will be able to set anything on the directory from windows because they don't have the permission to do so, either via Unix permissions or windows ACLs. You need to use 'setfacl' to add the required permissions for Domain Admins, see 'man setfacl' for how to do this.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list