On 11. 4. 2015 10:47, Achim Gratz wrote: > Corinna Vinschen writes: >> - To accommodate Windows default ACLs, the new code ignores SYSTEM and >> Administrators group permissions when computing the MASK/CLASS_OBJ >> permission mask on old ACLs, and it doesn't deny access to SYSTEM and >> Administrators group based on the value of MASK/CLASS_OBJ when >> creating the new ACLs.
Out of curiosity, does the code somehow distinguish ACLs that don't have these default permissions (or have different permissions set for SYSTEM / Administrators)? > Since you've now opened that can of worms of who is considered "root", > what about "Domain Administrators" or "Power Users", for starters? > >> That means, even if SYSTEM or Administrators have full access to the >> file, the POSIX permssion bits will not reflect that fact. And while >> other users get access denied based on the mask value, SYSTEM and >> Administrators will never get access denied based on the mask. > > If you want to put this to better use in larger settings it would seem > preferrable if it was possible to define a list of users to treat this > way in fstab. I think this would help with the braindead settings > NetApp filers are set up these days by default. That generally means > that some domain group(s) need to be considered root on the share > depending on which share you are accessing. Power Users don't have access to (almost) everything, like Administrators do. The Domain Administrators group is a member of Administrators, so unless I'm missing something, there's no reason to have them explicitely in the DACL. I'm not arguing against configurability though. -- David Macek
smime.p7s
Description: S/MIME Cryptographic Signature
