[Samba] Can Linux ACLs override Sticky Bits on a Samba Share?
andyliebman at aol.com
Wed Dec 21 13:54:29 UTC 2016
I have an Ubuntu Linux server where I use Sticky Bits to help enforce specific permissions on Samba shares:
-- Each Samba share is associated with a unique Linux group
-- Only members of the group can access the share
-- All members of the group can create new files and directories in the share
-- SGID is set on all directories.
-- The "creator" of any new file will be the owner of the file
-- Sticky Bits are placed on all new directories via an inotify process
-- As a result of the Sticky Bit set on directories, only the owner of a file can move, rename, or delete a file inside a directory
This all works perfectly, as designed, including through SMB mounts on Windows and OS X.
However, now I want to allow a limited subset of users to be able to override the Sticky Bit rule. I have created a second Linux group, added special members to the group, and applied an ACL recursively throughout the share's directory tree that gives this new group an ACL that would allow read/write/execute on all files and directories. However, when working through an SMB mount, members of this second group are still unable to move, rename or delete files that don't belong to them. I guess this makes sense, because really even members of the first group have read/write/execute privileges when I look at the ACLs.
Is there a way around this problem? Is there a way to create an ACL that will trump (take priority over) a Sticky Bit on a directory? Is there a specific setting in smb.conf that would only enforce Sticky Bit rules for members of the first group, but allow members of the second group to have the same permissions as the owner of a file?
More information about the samba