miguel medalha
2021-Jul-26 22:11 UTC
[Samba] Is "acl_xattr:ignore system acl = yes" recommended?
> Since Samba has root access, wouldn't it be possible, when using acl_xattr:ignore_system_acls, > to set permissions to 600/700 instead and let Samba do the translation and authorize access based > only on what is stored in the "security.NTACL" extended attribute by acl_xattr?Or even 660/770 if owner and group were to be root:root. It's the "others" part that is problematic.
Rowland Penny
2021-Jul-27 06:40 UTC
[Samba] Is "acl_xattr:ignore system acl = yes" recommended?
On Mon, 2021-07-26 at 23:11 +0100, miguel medalha wrote:> > Since Samba has root access, wouldn't it be possible, when using > > acl_xattr:ignore_system_acls, > > to set permissions to 600/700 instead and let Samba do the > > translation and authorize access based > > only on what is stored in the "security.NTACL" extended attribute > > by acl_xattr? > > Or even 660/770 if owner and group were to be root:root. It's the > "others" part that is problematic. >I never gave this much thought, but now I have, can someone explain why the parameter 'acl_xattr:ignore system acls' doesn't do what it says on the tin (English joke) if it is set to yes ? It appears that it doesn't ignore the system acls, it sets them ! Rowland