[Samba] What's the use of SeDiskOperatorPrivilege?

Andrew Walker walker.aj325 at gmail.com
Thu Jan 28 14:18:50 UTC 2021

On Thu, Jan 28, 2021 at 5:41 AM Matthias Leopold via samba <
samba at lists.samba.org> wrote:

> Am 28.01.21 um 11:21 schrieb Rowland penny via samba:
> > On 28/01/2021 10:06, Matthias Leopold via samba wrote:
> >>
> >> Then why bothering with granting SeDiskOperatorPrivilege when share
> >> permissions shall not be modified at all (this was my original
> question)?
> >
> >
> > Because you are falling into the trap of thinking that the share tab has
> > anything to do with setting the NTFS permissions on a share. Nearly
> > every time anyone has problems setting permissions on a Samba from
> > Windows, they have messed with the share tab, the favourite one is
> > removing 'Everyone'. Just ensure that only 'Everyone' is set on the
> > share tab with Full Control, Change and Read permissions set.
> >
> >
> >>
> >> I know that the settings in "Security" are essential. I always aimed
> >> at configuring the correct combination of "Share permissions" and
> >> "Security". There are instructions in the Microsoft docs about this.
> >
> >
> > I can only talk from experience, leave the share tab alone and set the
> > permissions with the security tab.
> >
> Just for the records:
> I was always aware that share and NTFS permissions are separate layers.
> I thought using them both gave extra security mainly because access to
> share permission management is limited (this is where
> SeDiskOperatorPrivilege comes in). But there's no need for further
> discussion, thanks for explaining things to me, I'll follow the
> suggested best practice.
> Matthias
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Off the top of my head, there are a couple cases where share permissions
are useful:
1) You're using the smb.conf parameter "access based share enum" to limit
visibility of shares in the browse list.
2) You need to strictly enforce a share-wide upper bound on permissions.
For instance, this can be done to limit what the owner of a file can do
(although it's probably better to do this through an "OWNER RIGHTS" S-1-3-4
entry in the NTFS ACL).

More information about the samba mailing list