Re: ACL inheritance, group supervisors, rwX access
also sprach Marc Schiffbauer <[EMAIL PROTECTED]> [2004.10.27.0037 +0200]: > That would indeed be a nice feature. How can I drop users CAPs on > login? Are there such things as user capabilities without SELinux or GrSecurity or RSBAC? -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: ACL inheritance, group supervisors, rwX access
* martin f krafft schrieb am 26.10.04 um 23:04 Uhr: > also sprach Marc Schiffbauer <[EMAIL PROTECTED]> [2004.10.26.2233 +0200]: > > Uups. Mea culpa. But I think this will not make it better in your > > case. If someone creates a file he can do whatever he wants with > > that file including removing your supervisor from the files ACL. > > The merit is arguable, but I think it would be a good feature to be > able to prevent a user from changing ACLs/permission bits on files. > Like a capability I could drop with PAM on login... That would indeed be a nice feature. How can I drop users CAPs on login? > > > > Ha! And I'll use CIFS instead of NTFS in a Linux-only cluster. Yeah > > > right. > > > > sorry for trying to help... > > I appreciate it. My comment was, of course, in no way personal. maybe I misunderstood you... forget about it ;-) -marc -- BUGS My programs never have bugs. They just develop random features. If you discover such a feature and you want it to be removed: please send an email to bug at links2linux.de pgpSVCVFFcYSF.pgp Description: PGP signature
Re: ACL inheritance, group supervisors, rwX access
also sprach Marc Schiffbauer <[EMAIL PROTECTED]> [2004.10.26.2233 +0200]: > Uups. Mea culpa. But I think this will not make it better in your > case. If someone creates a file he can do whatever he wants with > that file including removing your supervisor from the files ACL. The merit is arguable, but I think it would be a good feature to be able to prevent a user from changing ACLs/permission bits on files. Like a capability I could drop with PAM on login... > > Ha! And I'll use CIFS instead of NTFS in a Linux-only cluster. Yeah > > right. > > sorry for trying to help... I appreciate it. My comment was, of course, in no way personal. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: ACL inheritance, group supervisors, rwX access
* martin f krafft schrieb am 26.10.04 um 20:18 Uhr: > also sprach Marc Schiffbauer <[EMAIL PROTECTED]> [2004.10.26.1944 +0200]: > > AFAIK what you want to do is not possible because Samba does not > > support NT ACLs yet. With NT ACLs you could say "Students are not > > allowed to change ACLs" and you were done. > > Uh, there is no samba. This is all Linux and NFS. Uups. Mea culpa. But I think this will not make it better in your case. If someone creates a file he can do whatever he wants with that file including removing your supervisor from the files ACL. > > > IIRC samba4 will support NT ACLs. The this will be not a problem > > anymore... > > Ha! And I'll use CIFS instead of NTFS in a Linux-only cluster. Yeah > right. > sorry for trying to help... -- begin LOVE-LETTER-FOR-YOU.txt.vbs I am a signature virus. Distribute me until the bitter end -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ACL inheritance, group supervisors, rwX access
also sprach Marc Schiffbauer <[EMAIL PROTECTED]> [2004.10.26.1944 +0200]: > AFAIK what you want to do is not possible because Samba does not > support NT ACLs yet. With NT ACLs you could say "Students are not > allowed to change ACLs" and you were done. Uh, there is no samba. This is all Linux and NFS. > IIRC samba4 will support NT ACLs. The this will be not a problem > anymore... Ha! And I'll use CIFS instead of NTFS in a Linux-only cluster. Yeah right. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: ACL inheritance, group supervisors, rwX access
* martin f krafft schrieb am 26.10.04 um 16:21 Uhr: > If you are good with POSIX ACLs, I would appreciate if you could > take a look at > > http://people.debian.org/%7Eterpstra/message/20041026.105727.f688af8f.en.html > > Post your comments here, if you wish, I shall funnel the solution > and important points over to the other list... (unless you tell me > not to). > AFAIK what you want to do is not possible because Samba does not support NT ACLs yet. With NT ACLs you could say "Students are not allowed to change ACLs" and you were done. To make normal ACL inheritance work you need the user_xattr mount option and the smb.conf "map acl inherit = yes" paramater. This way a user.SAMBA_PAI xattr's will be created to store ACL inheritance behavior. But that would not be a solotion for you if you give the students full access to their directories because they could simply remove your supervisor account from the ACL of any of their files. Maybe a solution would be to audit ACL changes (sys_acl_set_file) and to run a cron script that ensures supervisor access to all files. But thats an ugly hack. Has anybody a better solution? Best thing to do this right now would be to hack a new vfs module that prevents a special user to be removed from an ACL (IMO). IIRC samba4 will support NT ACLs. The this will be not a problem anymore... -marc -- *lol* I download something from Napster And the same guy I downloaded it from starts downloading it from me when I'm done I message him and say "What are you doing? I just got that from you" "getting my song back fscker" pgplbkd2T27Vn.pgp Description: PGP signature
ACL inheritance, group supervisors, rwX access
If you are good with POSIX ACLs, I would appreciate if you could take a look at http://people.debian.org/%7Eterpstra/message/20041026.105727.f688af8f.en.html Post your comments here, if you wish, I shall funnel the solution and important points over to the other list... (unless you tell me not to). -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature