I am running 3.0.22, with ACLs on an EXT3 file system. The system is "Debian stable" but has been upgraded to the 2.6.16.9 kernel. I am setting up SAMBA share with Windows 2003 AD and would like any Windows user to be able to change the ACL for a file or folder if they are a member of a group that has write access to the file or folder in question. On first inspection it looked like the "ACL GROUP CONTROL" feature that arrived in 3.0.22 would help to solve this. What I found was that if I set the "ACL GROUP CONTROL = TRUE" setting in SMB.CONF, then any user could change the ACL for a file/folder if they were a member of the primary GID of the file/folder even if that primary GID did not have write access. I checked the code in "source/smbd/posix_acls.c" and as far as I can tell it only checks that the user is a member of the group that the file has as its primary GID but it doesn't check that the primary GID also has write access to the file. You could, for example, have a "0700" set of UNIX access flags and a user who was a member of the the primary GID could still change the ACL. Is my understanding correct? If it is, is there an known work-around? Thanks in advance, Roger
On Sun, May 14, 2006 at 10:21:20PM +0100, Roger Lucas wrote:> > What I found was that if I set the "ACL GROUP CONTROL = TRUE" setting in > SMB.CONF, then any user could change the ACL for a file/folder if they were > a member of the primary GID of the file/folder even if that primary GID did > not have write access.Yes, that's by design.> I checked the code in "source/smbd/posix_acls.c" and as far as I can tell it > only checks that the user is a member of the group that the file has as its > primary GID but it doesn't check that the primary GID also has write access > to the file. You could, for example, have a "0700" set of UNIX access flags > and a user who was a member of the the primary GID could still change the > ACL. > > Is my understanding correct? > If it is, is there an known work-around?No - it treats anyone who is in the primary group owner as though they were the owner of the file. The owner of a file can change the ACL even if they don't have write access. This is how it's supposed to work (and does when a file is owned by a group on Windows). Jeremy.