>>The show-stopper right now is this: we need to be >>able to assign "real" Full Control permissions: a >>user who has "Full control" on a directory should >>be able to Read, Write, eXecute ( of course) [ this >>can be easily achieved with ACLs ] *plus* being >>able to give away Full Control to other users too >>[being able to override inherited ACLs would be a >>plus, too]. Is this feasible (remember smbd runs as >>root... )? Has somebody thought about implementing >>this ?
If you have Full Control over a directory (e.g. as root, or own it or have rwx on it), you can give FC (rwx) to others. Is it perhaps the other way around, that you want to stop this delegation, unless an FC EA explicitely allows it? I'm not sure if it can be a show-stopper or if it really makes a difference. >How about using one EA to map some Windows' >attributes ? Full Control, Archive ( though it can >be emulated through ctime/atime/mtime ), Change >Only, come in a first pass over this. Change Only? Uhm, you mean Erase Only? I wouldn't be surprised if there's an M$ ACL with that name. The EAs are apparently still a disputed novelty. Some M$ ACLs make sense, but Archive bit is nonsense and possibly much else. Consider the backslash, OK it's a different ball game but still, consider the backslash. Was there any need for it, given that Unix slash was in existence for decades when DOS came around? No, just like much of so called ACLs, it is a way to lock the installed base away from recognized standards to proprietary captivity. The way you put it, it looks like there are some major problems standing in the way of migrations to common standards, whereas it is my opinion that Samba is doing great by implementing sensible features in a standards-conforming way and offering an efficient file and print service for a song. Think about what really stops the show - the feature or the perception. Think how M$ may use your letter for FUD: "Samba is free but IT specialists complain they can't have full control of their data in practice". >>I thought that maybe coding a wrapper around SecLib >>could achieve this. Being quite fluent in C/C++ both >>in Un*x as well as Win32 I don't mind coding >>whatever tool is needed to achieve >>this, provided it >>is indeed possible. If not, some >>suggestions/comments ( or even an approximate >>timeline for implementation! ) would be more than >>welcome. > >Any comments on this?? My posting was only comments. But go ahead and do it. Perhaps everyone will use it, once it's there. Samba isn't perfect. The way default permissions get replicated indiscriminately to subdirs and files is one thing that could be improved. If you want to ensure propagation of eXec (tresspassing) bit on directories, you eventually end up with Hidden, System and Archive bits stuck to files and still can't hide a directory or give it System attribute. But the problem is really only aesthetic. Hidden can and is regularly overridden in the file browser properties box, Archive I couldn't care less about and the System bit has nothing to do in most of the shares, except perhaps in [profiles] where you don't need ACLs anyway. When I was migrating, everyone thought it was a sure show-stopper. Now after some hands-on experience and a little tweaking, the perception has changed and there is no problem. ____________________________________________________________ Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail! http://login.mail.lycos.com/r/referral?aid=27005 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba