On Wed, Sep 8, 2010 at 10:04 PM, <[email protected]> wrote: > it looks like code is not designed like this. > > if you don't mind , Can you please explain this , > > ---------- > - although you would be asking > it to restrict the admin's rights, which wouldn't be proper behavior. > Plus it then wouldn't work like a Windows box, which is a primary > goal. > ----------------
File level security and share level security are separate - you can limit what a user can do with either one, or both. Consider one box - with no remote file sharing, a system (file level security) is needed to prevent unauthorized access to files and directories for local users. Consider a box that has no idea of file level security, say pre Windows NT such as Windows 95 for instance, files are shared via the network but with an OS that has no concept of file level security something is needed to prevent unauthorized access - share level security. AFAIK, the systems are not integrated, work separately and provide some backward compatibility. As the admin has full share level RW access to the share, he/she can surely make changes to the file level security (that is, if it's allowed by the current file level security) but he's not changing share level security through this, only file level; so locally the non-admin user could (presumably) login locally and access those files, but still be blocked remotely by the share level permissions. It's the way Windows works (and why Samba does also), plus I'm sure other network sharing systems, NFS, etc. have similar attributes. Think of it like trying to gain access to an office in a building. I can keep you from gaining entry in two ways; one is that I prevent you from entering the building (share level), or two, I prevent you from entering the particular office by locking its door (file level). If I prevent you from entering the building it doesn't matter whether or not I lock the office door - you cannot get there. If I lock the office door it doesn't matter if I allow you to enter the building - either way you are effectively locked out. And just because you are prevented, in the one case, from entering the building, there is nothing, nor should there be, to prevent me (the admin) from unlocking the office door, which would give you access if, and only if, you had egress into the building - my access is not affected (I can still unlock the office door), only yours (you still have no access unless I allow you into the building as well). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
