Hi all, I've been spending some time with customers lately and I've discovered an interesting thing. Many IT departments completely delegate the settings on directory and file ACLs to the users who are interested in the data. For example, on a given share for "Finance", the finance group is given full control on the containing directory (ie. they're allowed to set ACLs on everything within it) and are left alone to sort out their access control as they wish. This is difficult on Samba with POSIX ACLs due to the fact that POSIX ACLs can only be changed by the owner of the file/directory or root. Windows semantics allow the owner of a file/directory to always change the ACL (as does POSIX), but the difference is that under Windows a group can be the owner of a file/directory - with no user owner at all. Now I know the correct way to fix this is full NT ACL semantics and we're moving towards that in the future but an easy stop-gap solution for us is a new parameter, so I'm proposing a new parameter called "acl group control". If set to True on a share then it would allow both the owning user and the *primary group owner* of a file or directory to change the ACL on it. This would allow a "finance" group to be the primary POSIX group owner of a shared directory and then any member of that group could set ACLs on it, whether they were the actual user owner or not. In conjunction with the ability to have group ownership of files/directories in a directory inherited from the parent by setting the SETGID bit on the directory this should allow delegation of ACL control under Samba. Please let me know what you think - it's easy to add to the current code but I'd like to get some user feedback before I do so. Cheers, Jeremy.
Kaplan, Marc
2005-Jul-18 23:28 UTC
[Samba] RE: Proposal to allow owning group to edit ACLs.
Jeremy, I think this is really a great idea, and potentially a very valuable feature as long as group acl control = false by default. -Marc> -----Original Message----- > From:samba-technical-bounces+mkaplan=snapappliance.com@lists.samba.org>[mailto:samba-technical-bounces+mkaplan=snapappliance.com@lists.samba.or g]> On Behalf Of Jeremy Allison > Sent: Monday, July 18, 2005 3:48 PM > To: samba-technical@samba.org > Cc: samba@samba.org; jra@samba.org > Subject: Proposal to allow owning group to edit ACLs. > > Hi all, > > I've been spending some time with customers lately and I've > discovered an interesting thing. Many IT departments completelydelegate> the settings on directory and file ACLs to the users who areinterested> in the data. > > For example, on a given share for "Finance", the finance group isgiven> full control on the containing directory (ie. they're allowed to setACLs> on everything within it) and are left alone to sort out their access > control as they wish. > > This is difficult on Samba with POSIX ACLs due to the fact that POSIX > ACLs can only be changed by the owner of the file/directory or root. > > Windows semantics allow the owner of a file/directory to always change > the ACL (as does POSIX), but the difference is that under Windows agroup> can be the owner of a file/directory - with no user owner at all. > > Now I know the correct way to fix this is full NT ACL semantics and > we're moving towards that in the future but an easy stop-gap solution > for us is a new parameter, so I'm proposing a new parameter called > "acl group control". If set to True on a share then it would allow > both the owning user and the *primary group owner* of a file ordirectory> to change the ACL on it. > > This would allow a "finance" group to be the primary POSIX group owner > of a shared directory and then any member of that group could set > ACLs on it, whether they were the actual user owner or not. > > In conjunction with the ability to have group ownership of > files/directories > in a directory inherited from the parent by setting the SETGID bit onthe> directory this should allow delegation of ACL control under Samba. > > Please let me know what you think - it's easy to add to the current > code but I'd like to get some user feedback before I do so. > > Cheers, > > Jeremy.
Jeremy Allison
2005-Jul-18 23:42 UTC
[Samba] Re: Proposal to allow owning group to edit ACLs.
On Mon, Jul 18, 2005 at 04:25:56PM -0700, Kaplan, Marc wrote:> Jeremy, > > I think this is really a great idea, and potentially a very valuable > feature as long as group acl control = false by default.Indeed - as this is a security sensitive area it would definately default to the current (safe) behaviour. Especially in case I screw up the implementation :-). Jeremy.
Kaplan, Marc
2005-Jul-18 23:46 UTC
[Samba] RE: Proposal to allow owning group to edit ACLs.
> Indeed - as this is a security sensitive area it would definately > default to the current (safe) behaviour. Especially in case I screw > up the implementation :-). > > Jeremy.On that note :), let me know when it's implemented, I'll give it some initial testing. -Marc
On Monday 18 July 2005 15:47, Jeremy Allison wrote:> Hi all, > > I've been spending some time with customers lately and I've > discovered an interesting thing. Many IT departments completely delegate > the settings on directory and file ACLs to the users who are interested > in the data.SNIP> Now I know the correct way to fix this is full NT ACL semantics and > we're moving towards that in the future but an easy stop-gap solution > for us is a new parameter, so I'm proposing a new parameter called > "acl group control". If set to True on a share then it would allow > both the owning user and the *primary group owner* of a file or directory > to change the ACL on it.Yes, please do this. I want never again to hear my client complaining that "Smith has quit and Windows won't let me edit or delete his old files."
Great idea Jeremy, As far as ACls are concerned the more options the better.This option would add a great deal of flexabiltiy. Cheers, Rhys On 7/19/05, Jeremy Allison <jra@samba.org> wrote:> > Hi all, > > I've been spending some time with customers lately and I've > discovered an interesting thing. Many IT departments completely delegate > the settings on directory and file ACLs to the users who are interested > in the data. > > For example, on a given share for "Finance", the finance group is given > full control on the containing directory (ie. they're allowed to set ACLs > on everything within it) and are left alone to sort out their access > control as they wish. > > This is difficult on Samba with POSIX ACLs due to the fact that POSIX > ACLs can only be changed by the owner of the file/directory or root. > > Windows semantics allow the owner of a file/directory to always change > the ACL (as does POSIX), but the difference is that under Windows a group > can be the owner of a file/directory - with no user owner at all. > > Now I know the correct way to fix this is full NT ACL semantics and > we're moving towards that in the future but an easy stop-gap solution > for us is a new parameter, so I'm proposing a new parameter called > "acl group control". If set to True on a share then it would allow > both the owning user and the *primary group owner* of a file or directory > to change the ACL on it. > > This would allow a "finance" group to be the primary POSIX group owner > of a shared directory and then any member of that group could set > ACLs on it, whether they were the actual user owner or not. > > In conjunction with the ability to have group ownership of > files/directories > in a directory inherited from the parent by setting the SETGID bit on the > directory this should allow delegation of ACL control under Samba. > > Please let me know what you think - it's easy to add to the current > code but I'd like to get some user feedback before I do so. > > Cheers, > > Jeremy. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >
Jim McDonough
2005-Jul-19 12:05 UTC
[Samba] Re: Proposal to allow owning group to edit ACLs.
How big a crowbar would be needed to fit the samba4 acls in...? But generally, yes, this would be good. ---------------------------- Jim McDonough IBM Linux Technology Center Samba Team 6 Minuteman Drive Scarborough, ME 04074 USA jmcd at us dot ibm dot com jmcd at samba dot org Phone: 1-877-228-1846 IBM tie-line: 349-5335
David Collier-Brown
2005-Jul-19 12:09 UTC
[Samba] Re: Proposal to allow owning group to edit ACLs.
Jeremy Allison wrote:> Hi all, > > I've been spending some time with customers lately and I've > discovered an interesting thing. Many IT departments completely delegate > the settings on directory and file ACLs to the users who are interested > in the data.Yes, that's an interpretation of "Need to Know", in which anyone who has a need to know can designate another person as needing to now. This interpretation is avoided like the **plague** in Unix, where there is no higher-level "Mandatory Access Control" (MAC) to keep someone who isn't cleared from getting access to the data. In a MAC regime, a godlike person says "you passed the security check, you can work with data up to secret" and increases your authorization, then some individual says "you need to know", and changes an ACL to give you access.> For example, on a given share for "Finance", the finance group is given > full control on the containing directory (ie. they're allowed to set ACLs > on everything within it) and are left alone to sort out their access > control as they wish.And one assumes that anyone hired by finance passed the security check. Alas, a finance person might grant read to someone in marketing, and see a press release the next day with details that shouldn't be public (;-))> I'm proposing a new parameter called > "acl group control". If set to True on a share then it would allow > both the owning user and the *primary group owner* of a file or directory > to change the ACL on it.That's smart: could it optionally be set/overridden on a per-share basis, so the trusted groups could be controlled at a fairly fine granularity? --dave -- David Collier-Brown, | Always do right. This will gratify Sun Microsystems, Toronto | some people and astonish the rest davecb@canada.sun.com | -- Mark Twain (416) 263-5733 (x65733) |
Volker Lendecke
2005-Jul-19 15:02 UTC
[Samba] Re: Proposal to allow owning group to edit ACLs.
On Mon, Jul 18, 2005 at 03:47:31PM -0700, Jeremy Allison wrote:> Please let me know what you think - it's easy to add to the current > code but I'd like to get some user feedback before I do so.Yes, great idea I think. Do you remember when we talked about that at a conference about two years ago? We could not figure out a good way to control this. Having the group owner the ability to change acls is just a great idea. Thanks! Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20050719/1940f3c1/attachment.bin
John Little
2005-Jul-19 15:12 UTC
[Samba] Re: Proposal to allow owning group to edit ACLs.
> > From: Jeremy Allison <jra@samba.org> > Subject: [Samba] Proposal to allow owning group to edit ACLs. > CC: samba@samba.org, jra@samba.org > Date: Mon, 18 Jul 2005 15:47:31 -0700 > To: samba-technical@samba.org > > Hi all, > > I've been spending some time with customers lately and I've > discovered an interesting thing. Many IT departments completely > delegate > the settings on directory and file ACLs to the users who are > interested > in the data. > > For example, on a given share for "Finance", the finance group is > given > full control on the containing directory (ie. they're allowed to set > ACLs > on everything within it) and are left alone to sort out their access > control as they wish. > > This is difficult on Samba with POSIX ACLs due to the fact that POSIX > ACLs can only be changed by the owner of the file/directory or root. > > Windows semantics allow the owner of a file/directory to always > change > the ACL (as does POSIX), but the difference is that under Windows a > group > can be the owner of a file/directory - with no user owner at all. > > Now I know the correct way to fix this is full NT ACL semantics and > we're moving towards that in the future but an easy stop-gap solution > for us is a new parameter, so I'm proposing a new parameter called > "acl group control". If set to True on a share then it would allow > both the owning user and the *primary group owner* of a file or > directory > to change the ACL on it. > > This would allow a "finance" group to be the primary POSIX group > owner > of a shared directory and then any member of that group could set > ACLs on it, whether they were the actual user owner or not. > > In conjunction with the ability to have group ownership of > files/directories > in a directory inherited from the parent by setting the SETGID bit on > the > directory this should allow delegation of ACL control under Samba. > > Please let me know what you think - it's easy to add to the current > code but I'd like to get some user feedback before I do so. > > Cheers, > > Jeremy. >Jeremy, While we try to avoid that practice at times it is easier to let the departments do it. Generally we set up the director or someone he designates as the owner to handle it so that it doesn't fly out of control. So yes that would be a useful feature for us and we could use the departmental admin group to make the changes. Regards, John Little Hendricks Regional Health Happiness is understanding how things work. __________________________________ Yahoo! Mail Stay connected, organized, and protected. Take the tour: http://tour.mail.yahoo.com/mailtour.html