Re: [Samba] Restricting samba subfolder acl changes to admin users
Just a reminder. -Original Message- From: Kandukuru, Suresh Sent: Tuesday, October 19, 2010 6:49 PM To: 'j...@samba.org'; 'samba@lists.samba.org' Cc: 'volker.lende...@sernet.de' Subject: RE: [Samba] Restricting samba subfolder acl changes to admin users Jeremy did you get a chance to look at this . can you please pass your comments on this.? Thanks Suresh -Original Message- From: Volker Lendecke [mailto:volker.lende...@sernet.de] Sent: Monday, October 18, 2010 1:16 PM To: Kandukuru, Suresh Cc: j...@samba.org Subject: Re: [Samba] Restricting samba subfolder acl changes to admin users On Mon, Oct 18, 2010 at 12:12:55AM -0400, suresh.kanduk...@emc.com wrote: Thanks Jeremy and Volker. Clarified some of points.still little bit confusion for me. so, in summary if a user can change ACL, if he has write acess on the share and the ownership on subfolders / files inside it. here is is my test. 1) created share test , given write access to it for admin, user1 users. 2) connected to share with admin user and created sub folder test_subfldr in it. and given read access to user1 user . output of getfacl r...@storage:/mnt/soho_storage/samba/shares/SP0/test# getfacl test_subfldr/ # file: test_subfldr/ # owner: admin # group: users user::rwx user:user1:r-x group::rwx mask::rwx other::rwx default:user::rwx default:user:user1:r-x default:group::--- default:mask::rwx default:other::--- r...@storage:/mnt/soho_storage/samba/shares/SP0/test# -- 4) connected to test share with user1 , could not write into test_subfldr. and user1 has changed acl settings on test_subfldr to write access . why samba is allowing this? Though user1 has write access to share , he is not the owner of test_subfldr/.(admin is the owner for this) . user1 effectivly has read access on the test_subfldr. This might actually be a bug. Maybe Samba believes the user has write permissions due to the group having the w permission? Which group is the user member of? Jeremy, can this be a mis-mapping of Posix permissions to NTFS ACLs in the dos filemode permission check? Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting samba subfolder acl changes to admin users
Jeremy did you get a chance to look at this . can you please pass your comments on this.? Thanks Suresh -Original Message- From: Volker Lendecke [mailto:volker.lende...@sernet.de] Sent: Monday, October 18, 2010 1:16 PM To: Kandukuru, Suresh Cc: j...@samba.org Subject: Re: [Samba] Restricting samba subfolder acl changes to admin users On Mon, Oct 18, 2010 at 12:12:55AM -0400, suresh.kanduk...@emc.com wrote: Thanks Jeremy and Volker. Clarified some of points.still little bit confusion for me. so, in summary if a user can change ACL, if he has write acess on the share and the ownership on subfolders / files inside it. here is is my test. 1) created share test , given write access to it for admin, user1 users. 2) connected to share with admin user and created sub folder test_subfldr in it. and given read access to user1 user . output of getfacl r...@storage:/mnt/soho_storage/samba/shares/SP0/test# getfacl test_subfldr/ # file: test_subfldr/ # owner: admin # group: users user::rwx user:user1:r-x group::rwx mask::rwx other::rwx default:user::rwx default:user:user1:r-x default:group::--- default:mask::rwx default:other::--- r...@storage:/mnt/soho_storage/samba/shares/SP0/test# -- 4) connected to test share with user1 , could not write into test_subfldr. and user1 has changed acl settings on test_subfldr to write access . why samba is allowing this? Though user1 has write access to share , he is not the owner of test_subfldr/.(admin is the owner for this) . user1 effectivly has read access on the test_subfldr. This might actually be a bug. Maybe Samba believes the user has write permissions due to the group having the w permission? Which group is the user member of? Jeremy, can this be a mis-mapping of Posix permissions to NTFS ACLs in the dos filemode permission check? Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting samba subfolder acl changes to admin users
On Mon, Oct 18, 2010 at 12:12:55AM -0400, suresh.kanduk...@emc.com wrote: Thanks Jeremy and Volker. Clarified some of points.still little bit confusion for me. so, in summary if a user can change ACL, if he has write acess on the share and the ownership on subfolders / files inside it. here is is my test. 1) created share test , given write access to it for admin, user1 users. 2) connected to share with admin user and created sub folder test_subfldr in it. and given read access to user1 user . output of getfacl r...@storage:/mnt/soho_storage/samba/shares/SP0/test# getfacl test_subfldr/ # file: test_subfldr/ # owner: admin # group: users user::rwx user:user1:r-x group::rwx mask::rwx other::rwx default:user::rwx default:user:user1:r-x default:group::--- default:mask::rwx default:other::--- r...@storage:/mnt/soho_storage/samba/shares/SP0/test# -- 4) connected to test share with user1 , could not write into test_subfldr. and user1 has changed acl settings on test_subfldr to write access . why samba is allowing this? Though user1 has write access to share , he is not the owner of test_subfldr/.(admin is the owner for this) . user1 effectivly has read access on the test_subfldr. attached smb.conf for your reference. Ok, started to look at this. Thanks for your patience. What are the getfacl permissions on the folder: /mnt/soho_storage/samba/shares/SP0/test I need to see the output from: getfacl /mnt/soho_storage/samba/shares/SP0/test and also please send me (privately if you wish) a debug level 10 log from smbd when user1 connects to the test share and changes the acl setting on test_subfldr. Thanks, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting samba subfolder acl changes to admin users
Jeremy did you get a chance to look at this . can you please pass your comments on this.? Thanks Suresh -Original Message- From: Volker Lendecke [mailto:volker.lende...@sernet.de] Sent: Monday, October 18, 2010 1:16 PM To: Kandukuru, Suresh Cc: j...@samba.org Subject: Re: [Samba] Restricting samba subfolder acl changes to admin users On Mon, Oct 18, 2010 at 12:12:55AM -0400, suresh.kanduk...@emc.com wrote: Thanks Jeremy and Volker. Clarified some of points.still little bit confusion for me. so, in summary if a user can change ACL, if he has write acess on the share and the ownership on subfolders / files inside it. here is is my test. 1) created share test , given write access to it for admin, user1 users. 2) connected to share with admin user and created sub folder test_subfldr in it. and given read access to user1 user . output of getfacl r...@storage:/mnt/soho_storage/samba/shares/SP0/test# getfacl test_subfldr/ # file: test_subfldr/ # owner: admin # group: users user::rwx user:user1:r-x group::rwx mask::rwx other::rwx default:user::rwx default:user:user1:r-x default:group::--- default:mask::rwx default:other::--- r...@storage:/mnt/soho_storage/samba/shares/SP0/test# -- 4) connected to test share with user1 , could not write into test_subfldr. and user1 has changed acl settings on test_subfldr to write access . why samba is allowing this? Though user1 has write access to share , he is not the owner of test_subfldr/.(admin is the owner for this) . user1 effectivly has read access on the test_subfldr. This might actually be a bug. Maybe Samba believes the user has write permissions due to the group having the w permission? Which group is the user member of? Jeremy, can this be a mis-mapping of Posix permissions to NTFS ACLs in the dos filemode permission check? Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting samba subfolder acl changes to admin users
On Tue, Oct 19, 2010 at 09:19:00AM -0400, suresh.kanduk...@emc.com wrote: Jeremy did you get a chance to look at this . can you please pass your comments on this.? Just wanted to let you know I haven't forgotten this, just haven't had time to get to it yet. Keep pinging me until I respond :-). Thanks, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting samba subfolder acl changes to admin users
Thanks Jeremy and Volker. Clarified some of points.still little bit confusion for me. so, in summary if a user can change ACL, if he has write acess on the share and the ownership on subfolders / files inside it. here is is my test. 1) created share test , given write access to it for admin, user1 users. 2) connected to share with admin user and created sub folder test_subfldr in it. and given read access to user1 user . output of getfacl r...@storage:/mnt/soho_storage/samba/shares/SP0/test# getfacl test_subfldr/ # file: test_subfldr/ # owner: admin # group: users user::rwx user:user1:r-x group::rwx mask::rwx other::rwx default:user::rwx default:user:user1:r-x default:group::--- default:mask::rwx default:other::--- r...@storage:/mnt/soho_storage/samba/shares/SP0/test# -- 4) connected to test share with user1 , could not write into test_subfldr. and user1 has changed acl settings on test_subfldr to write access . why samba is allowing this? Though user1 has write access to share , he is not the owner of test_subfldr/.(admin is the owner for this) . user1 effectivly has read access on the test_subfldr. attached smb.conf for your reference. Thanks Suresh -Original Message- From: Jeremy Allison [mailto:j...@samba.org] Sent: Saturday, October 16, 2010 6:28 AM To: Kandukuru, Suresh Cc: volker.lende...@sernet.de; samba@lists.samba.org; j...@samba.org Subject: Re: [Samba] Restricting samba subfolder acl changes to admin users On Fri, Oct 15, 2010 at 07:09:02AM -0400, suresh.kanduk...@emc.com wrote: Got it Volker . Thanks . once final Q is ,I have admin user in NAS . for a share test , he has given write access to user user1 and read access for a subfolder - testsubdir in share test . when user1 logged into share test, he could not write into testsubdir. obviously it is because he has read access on the folder an most restrictive access will be effective. and the problem is since the user1 has write access to share , he is able to change the read access on the sub folder by himself. why samba is allowing this ? since effectively user1 has read access on the sub folder testsubdir it should deny acl changes on that right?. You are confusing write access on a share ACL, with write access on a directory. If a user only has read access on a share ACL, he will only be able to read data on that share, no modifications to any files/folders or ACLs will be allowed. If a user has write access on a share ACL, then he can modify anything inside that share that the underlying filesystem gives him rights to do so (if you're using POSIX ACLs/permissions, not Windows ACLs). So, when you complain that user1 can change the permissions on a sub folder, look at the owner and permissions on that sub folder. If user1 has permission to write into the containing directory, he can modify anything within it (according to the POSIX specs.). Samba will override the POSIX permissions if dos filemode is set: See the smb.conf man page: dos filemode (S) The default behavior in Samba is to provide UNIX-like behavior where only the owner of a file/directory is able to change the permissions on it. However, this behavior is often confusing to DOS/Windows users. Enabling this parameter allows a user who has write access to the file (by whatever means, including an ACL permission) to modify the permissions (including ACL) on it. Note that a user belonging to the group owning the file will not be allowed to change permissions if the group is only granted read access. Ownership of the file/directory may also be changed. Note that using the VFS modules acl_xattr or acl_tdb which store native Windows as meta-data will automatically turn this option on for any share for which they are loaded, as they require this option to emulate Windows ACLs correctly. This might be what you're seeing. If you want the client to only see Windows ACLs, look into the vfs objects = acl_xattr option. There are a few bugs in it, which I've currently fixed for 3.6.0 (and am preparing a back port for the next 3.5.x release). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting samba subfolder acl changes to admin users
Thanks Volker. Adding Jeremy, as my manager told me that let samba team know that I am part of EMC lifeline team .. and some of team members discussed with Jeremy regarding some other samba problems. Volker , if you don't mind can you elaborate this , if we make share offline , how the setting of acls goes through the samba source code.? However, I think this might cause quite a few problems. For example, if you make such a share available offline, disallowing setting of ACLs will cause severe problems when clients synchronize their data. Moreover, some applications like for example Microsoft Excel explicitly set the ACL when saving files. You need to check if disallowing this does not cause you trouble. - Thanks Suresh -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Volker Lendecke Sent: Thursday, October 14, 2010 5:43 PM To: Kandukuru, Suresh Cc: samba@lists.samba.org Subject: Re: [Samba] Restricting samba subfolder acl changes to admin users On Thu, Oct 14, 2010 at 08:05:38AM -0400, suresh.kanduk...@emc.com wrote: I am talking about users who has write access on the share, not necessarily owners of the file/sub folders in it. can we disallow the (some) users who has write access on the share to change subfolder ACL's in it?. I want to give this ACL change permission only to specific set of users . I think this is valid requirement in general use case. Yes, I think this might be a valid use case, although Samba does not right now do this. It would require a patch to add this capability along the lines of valid users etc. However, I think this might cause quite a few problems. For example, if you make such a share available offline, disallowing setting of ACLs will cause severe problems when clients synchronize their data. Moreover, some applications like for example Microsoft Excel explicitly set the ACL when saving files. You need to check if disallowing this does not cause you trouble. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting samba subfolder acl changes to admin users
On Fri, Oct 15, 2010 at 02:07:55AM -0400, suresh.kanduk...@emc.com wrote: Thanks Volker. Adding Jeremy, as my manager told me that let samba team know that I am part of EMC lifeline team .. and some of team members discussed with Jeremy regarding some other samba problems. Volker , if you don't mind can you elaborate this , if we make share offline , how the setting of acls goes through the samba source code.? When you make a folder available offline, then when a user comes back and re-synchronizes his data, then the client will set ACLs. I'm not sure how it reacts when you deny that. The setting of ACLs goes comes into the Samba source code in source3/smbd/nttrans.c, there we have the function called call_nt_transact_set_security_desc. From there we end up in set_sd and via the VFS we call SMB_VFS_FSET_NT_ACL, which is by default the function set_nt_acl() in smbd/posix_acls.c. Hope that helps, Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting samba subfolder acl changes to admin users
Got it Volker . Thanks . once final Q is ,I have admin user in NAS . for a share test , he has given write access to user user1 and read access for a subfolder - testsubdir in share test . when user1 logged into share test, he could not write into testsubdir. obviously it is because he has read access on the folder an most restrictive access will be effective. and the problem is since the user1 has write access to share , he is able to change the read access on the sub folder by himself. why samba is allowing this ? since effectively user1 has read access on the sub folder testsubdir it should deny acl changes on that right?. Thanks Suresh -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Volker Lendecke Sent: Friday, October 15, 2010 2:27 PM To: Kandukuru, Suresh Cc: samba@lists.samba.org; j...@samba.org Subject: Re: [Samba] Restricting samba subfolder acl changes to admin users On Fri, Oct 15, 2010 at 02:07:55AM -0400, suresh.kanduk...@emc.com wrote: Thanks Volker. Adding Jeremy, as my manager told me that let samba team know that I am part of EMC lifeline team .. and some of team members discussed with Jeremy regarding some other samba problems. Volker , if you don't mind can you elaborate this , if we make share offline , how the setting of acls goes through the samba source code.? When you make a folder available offline, then when a user comes back and re-synchronizes his data, then the client will set ACLs. I'm not sure how it reacts when you deny that. The setting of ACLs goes comes into the Samba source code in source3/smbd/nttrans.c, there we have the function called call_nt_transact_set_security_desc. From there we end up in set_sd and via the VFS we call SMB_VFS_FSET_NT_ACL, which is by default the function set_nt_acl() in smbd/posix_acls.c. Hope that helps, Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting samba subfolder acl changes to admin users
On Fri, Oct 15, 2010 at 07:09:02AM -0400, suresh.kanduk...@emc.com wrote: once final Q is ,I have admin user in NAS . for a share test , he has given write access to user user1 and read access for a subfolder - testsubdir in share test . when user1 logged into share test, he could not write into testsubdir. obviously it is because he has read access on the folder an most restrictive access will be effective. and the problem is since the user1 has write access to share , he is able to change the read access on the sub folder by himself. why samba is allowing this ? since effectively user1 has read access on the sub folder testsubdir it should deny acl changes on that right?. Who is the file owner of testsubdir? You can find out who is the owner with the command ls -ld testsubdir. If user1 is the owner, then it does not matter if user1 has only read access. If user1 is not the owner, then we might have a bug in Samba. Please send us your smb.conf configuration file and a debug level 10 log of the smbd allowing this operation. Thanks in advance, Volker Lendecke -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting samba subfolder acl changes to admin users
Volker I will send the log, why it does not matter here if user1 is owner of the subfolder and has read only access on it?. my Q is though user1 has read only access on subfolder testsubfldr, he is able to change it to the write , since user1 has write access on the share. cannot samba disallow acl changes on the subfolder testsufldr for the user user1 since has read access for it , though he has write access on the share?. Thanks Suresh -Original Message- From: Volker Lendecke [mailto:volker.lende...@sernet.de] Sent: Friday, October 15, 2010 4:51 PM To: Kandukuru, Suresh Cc: samba@lists.samba.org; j...@samba.org Subject: Re: [Samba] Restricting samba subfolder acl changes to admin users On Fri, Oct 15, 2010 at 07:09:02AM -0400, suresh.kanduk...@emc.com wrote: once final Q is ,I have admin user in NAS . for a share test , he has given write access to user user1 and read access for a subfolder - testsubdir in share test . when user1 logged into share test, he could not write into testsubdir. obviously it is because he has read access on the folder an most restrictive access will be effective. and the problem is since the user1 has write access to share , he is able to change the read access on the sub folder by himself. why samba is allowing this ? since effectively user1 has read access on the sub folder testsubdir it should deny acl changes on that right?. Who is the file owner of testsubdir? You can find out who is the owner with the command ls -ld testsubdir. If user1 is the owner, then it does not matter if user1 has only read access. If user1 is not the owner, then we might have a bug in Samba. Please send us your smb.conf configuration file and a debug level 10 log of the smbd allowing this operation. Thanks in advance, Volker Lendecke -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting samba subfolder acl changes to admin users
On Fri, Oct 15, 2010 at 09:28:30AM -0400, suresh.kanduk...@emc.com wrote: why it does not matter here if user1 is owner of the subfolder and has read only access on it?. my Q is though user1 has read only access on subfolder testsubfldr, he is able to change it to the write , since user1 has write access on the share. cannot samba disallow acl changes on the subfolder testsufldr for the user user1 since has read access for it , though he has write access on the share?. Sorry, I'm lost here. Samba passes the Posix semantics of chmod and setfacl 1:1 to the client. This means if you are owner of the file and have general write access to the share (not necessarily the file itself), chmod and getfacl are allowed. This is just what Posix does. Quoting the susv3 definition for chmod: The application shall ensure that the effective user ID of the process matches the owner of the file or the process has appropriate privileges in order to do this. This means that both the file owner or root can change an ACL. To really understand what you mean, would it be possible that you send your smb.conf file, an ls -la of all subdirectories that participate? If you really only want to allow setting ACLs for a very limited set of users, one possibility would be to export the same share twice. Once for administrators with an appropriate valid users = @administrators (or so) line, and another share with exactly the same path setting, but with nt acl support = no. This is a very brute-force way of denying all ACL setting. As I tried to point out in previous mails, I would however recommend to thoroughly test this setting with the applications you want to support. Jeremy, maybe you can be of more help? My English is probably just too limited to really give a precise enough description of how smbd does what it does. Thanks, Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting samba subfolder acl changes to admin users
On Fri, Oct 15, 2010 at 07:09:02AM -0400, suresh.kanduk...@emc.com wrote: Got it Volker . Thanks . once final Q is ,I have admin user in NAS . for a share test , he has given write access to user user1 and read access for a subfolder - testsubdir in share test . when user1 logged into share test, he could not write into testsubdir. obviously it is because he has read access on the folder an most restrictive access will be effective. and the problem is since the user1 has write access to share , he is able to change the read access on the sub folder by himself. why samba is allowing this ? since effectively user1 has read access on the sub folder testsubdir it should deny acl changes on that right?. You are confusing write access on a share ACL, with write access on a directory. If a user only has read access on a share ACL, he will only be able to read data on that share, no modifications to any files/folders or ACLs will be allowed. If a user has write access on a share ACL, then he can modify anything inside that share that the underlying filesystem gives him rights to do so (if you're using POSIX ACLs/permissions, not Windows ACLs). So, when you complain that user1 can change the permissions on a sub folder, look at the owner and permissions on that sub folder. If user1 has permission to write into the containing directory, he can modify anything within it (according to the POSIX specs.). Samba will override the POSIX permissions if dos filemode is set: See the smb.conf man page: dos filemode (S) The default behavior in Samba is to provide UNIX-like behavior where only the owner of a file/directory is able to change the permissions on it. However, this behavior is often confusing to DOS/Windows users. Enabling this parameter allows a user who has write access to the file (by whatever means, including an ACL permission) to modify the permissions (including ACL) on it. Note that a user belonging to the group owning the file will not be allowed to change permissions if the group is only granted read access. Ownership of the file/directory may also be changed. Note that using the VFS modules acl_xattr or acl_tdb which store native Windows as meta-data will automatically turn this option on for any share for which they are loaded, as they require this option to emulate Windows ACLs correctly. This might be what you're seeing. If you want the client to only see Windows ACLs, look into the vfs objects = acl_xattr option. There are a few bugs in it, which I've currently fixed for 3.6.0 (and am preparing a back port for the next 3.5.x release). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting samba subfolder acl changes to admin users
On Thu, Oct 14, 2010 at 12:54:59AM -0400, suresh.kanduk...@emc.com wrote: What I noticed from the below example is , any user who has write access to share are able to change sub folder acls in it. we don't want that. how to restrict this to only admin users in NAS and to AD administrator in windows. ?. Please help . 1) Import user from W2K3 R2 Server and set up a secure share. User has Read/Write access. 2) Create sub-folder and set Read . 3) Log in as user on Windows 7 workstation using AD users credentials. 4) Map to share and write files to share - OK as expected. 5) Change directory to sub-folder and write files to sub-folder - write denied as expected. 6) As AD user right click on sub-folder and enter properties, security. Attempt to change R/O rights. Successfully changed - Not expected behavior, only Administrator of NAS, Administrator of AD or member of AD Admin group should be able to change rights on secure sub-folders. Assuming you're using pure posix ACLs, this is expected behaviour. It is an artifact of Samba mapping Posix ACLs to Windows ACLs, not enforcing additional restrictions on top of it. Posix allows the owner of a directory to change its ACL, probably this is what you see here. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting samba subfolder acl changes to admin users
Volker, Thanks for quick reponse.is there any way restrict to this .like instead of allowing all who has write access on the share , to change subfolder acls in it. can we allow only admin users in NAS and ad AD administrator in windows to do this?. any workaround?. Thanks again, Suresh -Original Message- From: Volker Lendecke [mailto:volker.lende...@sernet.de] Sent: Thursday, October 14, 2010 11:56 AM To: Kandukuru, Suresh Cc: samba@lists.samba.org Subject: Re: [Samba] Restricting samba subfolder acl changes to admin users On Thu, Oct 14, 2010 at 12:54:59AM -0400, suresh.kanduk...@emc.com wrote: What I noticed from the below example is , any user who has write access to share are able to change sub folder acls in it. we don't want that. how to restrict this to only admin users in NAS and to AD administrator in windows. ?. Please help . 1) Import user from W2K3 R2 Server and set up a secure share. User has Read/Write access. 2) Create sub-folder and set Read . 3) Log in as user on Windows 7 workstation using AD users credentials. 4) Map to share and write files to share - OK as expected. 5) Change directory to sub-folder and write files to sub-folder - write denied as expected. 6) As AD user right click on sub-folder and enter properties, security. Attempt to change R/O rights. Successfully changed - Not expected behavior, only Administrator of NAS, Administrator of AD or member of AD Admin group should be able to change rights on secure sub-folders. Assuming you're using pure posix ACLs, this is expected behaviour. It is an artifact of Samba mapping Posix ACLs to Windows ACLs, not enforcing additional restrictions on top of it. Posix allows the owner of a directory to change its ACL, probably this is what you see here. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting samba subfolder acl changes to admin users
On Thu, Oct 14, 2010 at 02:36:09AM -0400, suresh.kanduk...@emc.com wrote: Thanks for quick reponse.is there any way restrict to this .like instead of allowing all who has write access on the share , to change subfolder acls in it. can we allow only admin users in NAS and ad AD administrator in windows to do this?. any workaround?. Not without code changes in Samba. But as far as I know, this problem will even happen with full NTFS acls. I think NTFS grants the owner of a file implicit WRITE_DAC permission, so the owner of a file or directory will always be able to change the ACL. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting samba subfolder acl changes to admin users
Volker, once again thanks for the response. I am talking about users who has write access on the share, not necessarily owners of the file/sub folders in it. can we disallow the (some) users who has write access on the share to change subfolder ACL's in it?. I want to give this ACL change permission only to specific set of users . I think this is valid requirement in general use case. Thanks Suresh -Original Message- From: Volker Lendecke [mailto:volker.lende...@sernet.de] Sent: Thursday, October 14, 2010 2:25 PM To: Kandukuru, Suresh Cc: samba@lists.samba.org Subject: Re: [Samba] Restricting samba subfolder acl changes to admin users On Thu, Oct 14, 2010 at 02:36:09AM -0400, suresh.kanduk...@emc.com wrote: Thanks for quick reponse.is there any way restrict to this .like instead of allowing all who has write access on the share , to change subfolder acls in it. can we allow only admin users in NAS and ad AD administrator in windows to do this?. any workaround?. Not without code changes in Samba. But as far as I know, this problem will even happen with full NTFS acls. I think NTFS grants the owner of a file implicit WRITE_DAC permission, so the owner of a file or directory will always be able to change the ACL. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting samba subfolder acl changes to admin users
On Thu, Oct 14, 2010 at 08:05:38AM -0400, suresh.kanduk...@emc.com wrote: I am talking about users who has write access on the share, not necessarily owners of the file/sub folders in it. can we disallow the (some) users who has write access on the share to change subfolder ACL's in it?. I want to give this ACL change permission only to specific set of users . I think this is valid requirement in general use case. Yes, I think this might be a valid use case, although Samba does not right now do this. It would require a patch to add this capability along the lines of valid users etc. However, I think this might cause quite a few problems. For example, if you make such a share available offline, disallowing setting of ACLs will cause severe problems when clients synchronize their data. Moreover, some applications like for example Microsoft Excel explicitly set the ACL when saving files. You need to check if disallowing this does not cause you trouble. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Restricting samba subfolder acl changes to admin users
Dear samba team, What I noticed from the below example is , any user who has write access to share are able to change sub folder acls in it. we don't want that. how to restrict this to only admin users in NAS and to AD administrator in windows. ?. Please help . 1) Import user from W2K3 R2 Server and set up a secure share. User has Read/Write access. 2) Create sub-folder and set Read . 3) Log in as user on Windows 7 workstation using AD users credentials. 4) Map to share and write files to share - OK as expected. 5) Change directory to sub-folder and write files to sub-folder - write denied as expected. 6) As AD user right click on sub-folder and enter properties, security. Attempt to change R/O rights. Successfully changed - Not expected behavior, only Administrator of NAS, Administrator of AD or member of AD Admin group should be able to change rights on secure sub-folders. - Thanks Suresh -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
