https://bugs.kde.org/show_bug.cgi?id=425203
--- Comment #3 from Harald Sitter <sit...@kde.org> ---
q.e.d. I guess ;)
abcde <- assume each character is a user and 'e' is everyone
rwf-r <- share ACL
<- the user is logged in on the share now
f---- <- filesystem ACL (e.g. posix chmod bits)
<- the user can do file operations on the share
f---- <- the files
The effective access granted to a=f, b=-, c=-. It is that way because the share
ACL can not give you permissions you do not posses on the filesystem. Whatever
is on the filesystem line trumps whatever is on the share line. The share ACL
can take rights away though:
abcde <- assume each character is a user and 'e' is everyone
rwf-d <- share ACL
<- the user is logged in on the share now
f---- <- filesystem ACL (e.g. posix chmod bits)
<- the user can do file operations on the share
----- <- the files
Here nobody can do anything because everyone was denied to log into the share
e=d. The filesystem plays no part, the users aren't get let into samba. So what
you could do is mirror the filesystem ACL and that'd be working with least
astonishment:
abcde <- assume each character is a user and 'e' is everyone
f---- <- share ACL
<- the user is logged in on the share now
f---- <- filesystem ACL (e.g. posix chmod bits)
<- the user can do file operations on the share
f---- <- the files
That leads to a=f and everyone else cannot log into samba. That is the truest
ACL but makes no sense practically, you now have to maintain the same ACL in
two different places.
And that finally gets us to defaulting to everyone:fullaccess by default:
abcde <- assume each character is a user and 'e' is everyone
----f <- share ACL
<- the user is logged in on the share now
f---- <- filesystem ACL (e.g. posix chmod bits)
<- the user can do file operations on the share
f---- <- the files
You'll note that is the same as the first example albeit with zero complexity
on the share ACL level. Most importantly though the only ACL that the user now
actually needs to care about is the filesystem.
abcde <- assume each character is a user and 'e' is everyone
----f <- share ACL
<- the user is logged in on the share now
f-r-- <- filesystem ACL (e.g. posix chmod bits)
<- the user can do file operations on the share
f-r-- <- the files
Now c can read.
abcde <- assume each character is a user and 'e' is everyone
----f <- share ACL
<- the user is logged in on the share now
f-rr- <- filesystem ACL (e.g. posix chmod bits)
<- the user can do file operations on the share
f-r-- <- the files
Now d can read.
...
The only times where you want a restrictive share ACL is when the filesystem
you share doesn't have a permission system or the filesystem permissions aren't
quite right but also cannot be fixed for whatever reason.
So everyone:fullaccess doesn't give full access, it merely gives the users the
same level of access that they have when they log in locally. It does mean that
users only need to worry about the actual filesystem ACL, not the share ACL.
--
You are receiving this mail because:
You are watching all bug changes.
