Ralph Boehme
2024-Jan-31  09:09 UTC
[Samba] Behavior of acl_xattr:ignore system acls = yes on a share
On 1/31/24 09:50, Peter Milesson via samba wrote:> The crucial problem here is, that Everyone (yes, really everyone) can > write to the root share.why don't you just change it? That's how it's supposed to work. -slow -- SerNet Samba Team Lead https://samba.plus/ Samba Team Member https://samba.org/ SAMBA+ packages https://samba.plus/ SerNet Samba Support, Consulting and Development -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20240131/b66b54f4/OpenPGP_signature.sig>
Rowland Penny
2024-Jan-31  10:19 UTC
[Samba] Behavior of acl_xattr:ignore system acls = yes on a share
On Wed, 31 Jan 2024 10:09:53 +0100 Ralph Boehme via samba <samba at lists.samba.org> wrote:> On 1/31/24 09:50, Peter Milesson via samba wrote: > > The crucial problem here is, that Everyone (yes, really everyone) > > can write to the root share. > > why don't you just change it? That's how it's supposed to work. > > -slow >It might be supposed to work that way, but it doesn't appear to do so. When I logged into Windows and connected to a share that has 'acl_xattr:ignore system acls = yes' set and right clicked on its icon in Explorer and selected 'Properties', I found that 'EVERYONE' was listed. I removed 'EVERYONE', clicked 'Apply' then 'OK', which completed without error. 'EVERYONE' is no longer listed on Windows, but if I go to the machine that holds the share and run 'samba-tool ntacl get /srv/acl3 --as-sddl', I get this: O:S-1-22-1-0G:S-1-22-2-0D:AI(A;OICI;FA;;;S-1-22-1-0)(A;OICI;0x1200a9;;;DU)(A;OICI;0x1200a9;;;DU)(A;;FA;;;S-1-22-2-0)(A;;FA;;;S-1-22-2-0)(A;;FA;;;S-1-22-1-0)(A;;FA;;;WD)(A;OICIIO;FA;;;CO)(A;OICIIO;0x1200a9;;;S-1-22-2-0)(A;OICIIO;0x1200a9;;;CG)(A;OICIIO;0x1200a9;;;WD) 'WD' is Windows speak for 'EVERYONE'. Rowland
Peter Milesson
2024-Jan-31  10:38 UTC
[Samba] Behavior of acl_xattr:ignore system acls = yes on a share
On 31.01.2024 10:09, Ralph Boehme via samba wrote:> On 1/31/24 09:50, Peter Milesson via samba wrote: >> The crucial problem here is, that Everyone (yes, really everyone) can >> write to the root share. > > why don't you just change it? That's how it's supposed to work. > > -slow >Hi Ralph, Unfortunately, that doesn't work. In share permissions, it's not possible to remove Everyone, nor add another security object. Clicking OK, the dialog closes without any errors, but opening it again, Everyone is still there. I was sure to start Computer Management as Administrator. If it would be possible to set share permissions, then it would be usable. Best regards, Peter