[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ACL inheritance, group supervisors, rwX access



* martin f krafft schrieb am 26.10.04 um 16:21 Uhr:
> If you are good with POSIX ACLs, I would appreciate if you could
> take a look at
> 
>   http://people.debian.org/%7Eterpstra/message/20041026.105727.f688af8f.en.html
> 
> Post your comments here, if you wish, I shall funnel the solution
> and important points over to the other list... (unless you tell me
> not to).
> 

AFAIK what you want to do is not possible because Samba does not
support NT ACLs yet. With NT ACLs you could say "Students are not
allowed to change ACLs" and you were done.

To make normal ACL inheritance work you need the user_xattr mount
option and the smb.conf "map acl inherit = yes" paramater. This way
a user.SAMBA_PAI xattr's will be created to store ACL inheritance
behavior.

But that would not be a solotion for you if you give the students
full access to their directories because they could simply remove
your supervisor account from the ACL of any of their files.

Maybe a solution would be to audit ACL changes (sys_acl_set_file)
and to run a cron script that ensures supervisor access to all
files. But thats an ugly hack. Has anybody a better solution?
Best thing to do this right now would be to hack a new vfs module
that prevents a special user to be removed from an ACL (IMO).

IIRC samba4 will support NT ACLs. The this will be not a problem
anymore...

-marc
-- 
<NES> *lol* I download something from Napster
<NES> And the same guy I downloaded it from starts downloading it from me when I'm done
<NES> I message him and say "What are you doing? I just got that from you"
<NES> "getting my song back fscker"

Attachment: pgpGwnHREhJMe.pgp
Description: PGP signature


Reply to: