Hi,
I'm currently investigating implementing a Linux-Samba (RedHat 7.2 and Samba
2.2.3a) based domain solution. I think I'm at the final hurdle which is to
understand share and filesystem ACL's. I'm using Samba 2.2.3a compiled
with
ACL support and my shares reside on a partition with an XFS file system (ACL
supported).
The Problem
Using the security mask and directory security mask parameters I can stop
the standard u/g/w permissions from being changed on any file or directory
for an entire share. However other user/group entries beyond the default
u/g/w in my XFS ACL can be changed. Thus a user with "Write" access to
a
file or directory, they have created, can change the access for a user\group
who would normally have "Read" access to "Write" and my
security model is
broken. This "Write" access is actually "Full Control" in NT
terms as, from
what I understand, just rwxd (Change) access can not be mapped correctly on
to the XFS POSIX ACL.
Is this how Samba should function or have I just mis-configured my server?
If this is how Samba functions currently then is this being looked at with a
view to adding control of the changing of permissions for all groups\users
entries within an ACL supported file systems?
Just for information I have set the "write" user group to have
"Change"
level access on both the share permissions, via Server Manager, and on the
XFS ACL although this reverts to "Full Control" as mentioned above.
Work Around
I currently have a work around for this which is to compile Samba without
ACL support yet still use XFS. This appears to allow the intended user
access to the share via the XFS ACL yet stop all ACL entries being viewed by
Windows clients, only the u/g/w is displayed. Changes to these u/g/w
permissions can then be controlled for the share by using the standard
security mask and directory security mask parameters. I haven't stress
tested this configuration yet and comments on the reliability of this work
around would be welcomed.
Any help would be appreciated.
Regards
Rob Thomas
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
