On Fri, Aug 12, 2016 at 07:27:00PM +0200, Reindl Harald via samba wrote:> > > Am 12.08.2016 um 18:57 schrieb Jeremy Allison via samba: > >On Fri, Aug 12, 2016 at 11:20:47AM -0500, Sergei Gerasenko via samba wrote: > >>It looks like this is a long known issue: > >> > >>https://bugzilla.samba.org/show_bug.cgi?id=10792 > > > >If by long known you mean "as designed". As Samba supports > >ACL setting on files/directories we don't restrict what > >happens to them after creation. > > > >For creation you can set "create mask" and "directory mask" > >but the client can change it afterwards > > well, an option to igore that clients wish (and the same for the > normal unix permissions) would be nice because Apple stuff tends to > trying be smarter than the admin which knows how permissions have to > look like so that all users which needs access have it > > and that is often *exatly* as the sharepoint with no exception > because access to shares is granted by asign users to specific > group*s*We used to have that. Was called "security mask" and "directory security mask". It got removed as there was no way to differentiate between the "create" action and "modify permissions" action at the level below the VFS.
Am 12.08.2016 um 19:40 schrieb Jeremy Allison:> On Fri, Aug 12, 2016 at 07:27:00PM +0200, Reindl Harald via samba wrote: >> >> Am 12.08.2016 um 18:57 schrieb Jeremy Allison via samba: >>> On Fri, Aug 12, 2016 at 11:20:47AM -0500, Sergei Gerasenko via samba wrote: >>>> It looks like this is a long known issue: >>>> >>>> https://bugzilla.samba.org/show_bug.cgi?id=10792 >>> >>> If by long known you mean "as designed". As Samba supports >>> ACL setting on files/directories we don't restrict what >>> happens to them after creation. >>> >>> For creation you can set "create mask" and "directory mask" >>> but the client can change it afterwards >> >> well, an option to igore that clients wish (and the same for the >> normal unix permissions) would be nice because Apple stuff tends to >> trying be smarter than the admin which knows how permissions have to >> look like so that all users which needs access have it >> >> and that is often *exatly* as the sharepoint with no exception >> because access to shares is granted by asign users to specific >> group*s* > > We used to have that. Was called "security mask" and "directory > security mask". It got removed as there was no way to differentiate > between the "create" action and "modify permissions" action at > the level below the VFShow can that be? i mean there is obviously a difference and samba is losing track if it's now reating a new file or modify a existing one? that permissions/acl stuff is *a real* problem for many setups when a idiotic client is changing the permissions of a shared document, the person goes to vacation and other team members no longer have write access -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20160813/61770a2f/signature.sig>
Am 13.08.2016 um 12:48 schrieb Reindl Harald via samba:> that permissions/acl stuff is *a real* problem for many setups when a > idiotic client is changing the permissions of a shared document, the > person goes to vacation and other team members no longer have write accessWindows ACLs make it possible to differentiate: you can grant modify permission, but not the permission to change the permissions. However the usefulness of this is very limited, because both in Linux and Windows the owner of files is always allowed to change permissions, regardless of what the permissions say. Yes, this is indeed idiotic. Today there is a trend away from home directories to project directories, but this limitation of ACLs in Linux and Windows are not very well suited for such directories. It does not need to be like this. In Novell Netware the admin really could decide who is allowed to change permissions. There this was the A-permission, access-control, and even the owners of files could only change permissions if the admin had granted them the A permission. They were usually given this in their home directory, but not in project directories, where many people need to have access.