In a POSIX filesystem, only the owner of a file or directory and the superuser can modify the permissions and ACLs on a file.
Even if Samba can emulate the “multi-owner” feature of Windows, our NethServer inherited the Posix ACL way and we cannot change it now. So in NS only root or the file owner can change the file permissions. With admin users option, root privileges can be easily granted to members of “Domain Admins” (or any other user/group).
We could implement a new shared folder profile flavor with Windows ACL in the future though.
What could happen in NethServer is:
The Domain Admins log on Server Manager, enable the special permissions perform privileged operations, then disable special permissions.
What is preventing us from mounting the filesystem with extended atrributes, and enabling Windows ACL’s ? SAMBA4 supports it out of the box, the needed modules are already loaded and afaik the only thing missing in the chain is the filesystem being mounted the correct way for this to work ? (On my ToTest list … )
If we implement permissions at the Windows/Samba ACL level we actually implement a permissions layer over the filesystem that is visible only to SMB clients. In other words if an user access to files with SCP or NFS the Windows ACLs are not enforced.
A similar situation happens with Dovecot. IMAP ACLs are implemented by the IMAP server. Everything under /var/lib/nethserver/vmail is owned by vmail user (dovecot). As long as everyone accesses mail through IMAP, ACLs are effective.
We can implement Windows ACL only if Samba is the only service that can access shared folders.
IIRC XFS (the default CentOS7 filesystem) has extended attributes enabled by default
test case 1.3
login with “admin” => change ACL on all content o.k.
test case 1.4
login with testuser 1 => create content o.k.
login with “admin” => access denied to home folder testuser
granted full controll to home directories => access still denied! test failed
Test case 2.0 account provider LDAP:
alternatives --list
libnssckbi.so.x86_64 auto /usr/lib64/pkcs11/p11-kit-trust.so
cifs-idmap-plugin auto /usr/lib64/cifs-utils/cifs_idmap_sss.so
ld auto /usr/bin/ld.bfd
mta auto /usr/sbin/sendmail.postfix
libwbclient.so.0.13-64 auto /usr/lib64/sssd/modules/libwbclient.so.0.13.0
Do you remember the “When a new file or directory is created in a shared folder…” feature? I’m going to change the default value for new installations:
Disable “Grant full control to the owner of the parent directory”
Enable “Grant full control to the creator”
The “Grant full control to the creator” option is more flexible because it enables the object creator to change the permissions on it, while still granting enough rights to the object owning group.