[Samba] file owners can change permissions!?!

Klaus Hartnegg hartnegg at uni-freiburg.de
Thu Jun 11 03:06:41 MDT 2015


Hello,

Users can use the security tab on the file properties dialog of windows 
to change file permissions of all files and directories which they own. 
They can add permissions to new users, they can also remove  inheritance 
and then modify all existing permissions, even remove permissions of 
SYSTEM and domain admins.

They do only have modify right, not full access.
Samba is version 4.1.17, running as PDC, using acl_xattr.
Permissions have been set from Windows.

I do not want to completely block the security tab, only make sure that 
users can only do what they were allowed to do, i.e. change permissions 
only where they have been granted full access.

How can I achieve this?

Klaus


More information about the samba mailing list