Sébastien Le Ray
2015-May-13 15:30 UTC
[Samba] Posix vs. Windows File/Directory Permissions
Le 13/05/2015 17:11, Rowland Penny a ?crit :> On 13/05/15 16:08, S?bastien Le Ray wrote: >> >> >> Le 13/05/2015 17:02, Rowland Penny a ?crit : >>> On 13/05/15 13:38, Mike wrote: >>>> I want to get a better understanding of what's happening between >>>> the posix >>>> permissions and windows permissions. >>> >>> Nothing happens between posix permissions (acls) and windows >>> permissions (ACLs), they are different, see: >> >> Well? Something happens since Windows ACLs are converted to UNIX ones >> when using RSAT. > > No they aren'tYes they are, a simple getfacl will show this fact (converted is may not be the right word since not all windows permissions have a corresponding unix one)> >> Moreover, you'll not be able to set up inital Windows ACL is UNIX >> ACLs do not allow the configuring user to do so (which is not >> mentioned on the wiki) >> > > Do you mean this line that isn't on the wiki page I posted a link to :-) > > Log on to a Windows machine, using an account to which the > ?SeDiskOperatorPrivilege? was granted, or an account in a group with > the granted privilege.This isn't sufficient, try using a member of domain admins with right privilege, you won't be able to change permissions if the folder isn't owned by you
Am 13.05.2015 um 17:30 schrieb S?bastien Le Ray:>> No they aren't > > Yes they areNot sure about this, but mostly irrelevant anyway, because of this effect in the other direction: If you have set Windows ACLs, and then change unix permissions or acls, this will destroy the Windows ACLs. Changing owner or group from within Linux also has this side effect. For this reason it is better to use only Linux permissions (mode bits and acls), or only Windows ACLs, but not try to mix both.
On Wed, May 13, 2015 at 1:20 PM, Klaus Hartnegg <hartnegg at uni-freiburg.de> wrote:> Am 13.05.2015 um 17:30 schrieb S?bastien Le Ray: > >> No they aren't >>> >> >> Yes they are >> > > Not sure about this, but mostly irrelevant anyway, because of this effect > in the other direction: > > If you have set Windows ACLs, and then change unix permissions or acls, > this will destroy the Windows ACLs. Changing owner or group from within > Linux also has this side effect. For this reason it is better to use only > Linux permissions (mode bits and acls), or only Windows ACLs, but not try > to mix both. > >Hello Klaus, This is one of the concerns I am trying to determine. It does seem like it is difficult to keep both acl systems functioning together, and simply not optimal to do so. Using Rowland Penny's earlier example, I can see how a sysadmin can easily create conflicting permissions amongst multiple users, groups, and then OS acl types too.