Web lists-archives.com

Re: [Samba] Allow single sub-folder access on an otherwise prohibited share - why does the solution work?




This wasn't a very good answer to the initial question. I presume you're
using acl_xattr, which I'm not overly familiar with (I use ZFS ACLs). In
general, users need the x-bit to be able to traverse the file tree in which
a share is located (in addition to whatever ACLs may be defined in the
xattr). Perhaps take a close look at both the ACL and the underlying
filesystem permissions. In theory, it's possible that when you added the
user to the teaching group, that particular group had the x-bit for the
share, then the final explicit ACL took precedence as you defined the
filesystem ACLs. Permissions can be tricky.

It's worth noting that with ZFS ACLs, IIRC, deny always takes precedence.

On Wed, Jul 5, 2017 at 9:00 AM, Andrew Walker <walker.aj325@xxxxxxxxx>
wrote:

> Why is the second method working (and working as expected)? The only info
>> I found on the web is that DENY takes precedence over ALLOW, which does not
>> explain my finding, right?
>>
>
> In Windows, explicit permissions take precedence over inherited
> permissions, even inherited deny permissions.  https://technet.microsoft.
> com/en-us/library/cc783530(v=ws.10).aspx
>
> Samba apparently does the same.
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba