Re: [TESTERS needed] New POSIX permission handling

[David Macek <david dot macek dot 0 at gmail dot com>]

On 11. 4. 2015 10:47, Achim Gratz wrote:
> Corinna Vinschen writes:
>> - To accommodate Windows default ACLs, the new code ignores SYSTEM and
>>   Administrators group permissions when computing the MASK/CLASS_OBJ
>>   permission mask on old ACLs, and it doesn't deny access to SYSTEM and
>>   Administrators group based on the value of MASK/CLASS_OBJ when
>>   creating the new ACLs.

Out of curiosity, does the code somehow distinguish ACLs that don't have these default permissions (or have different permissions set for SYSTEM / Administrators)?

> Since you've now opened that can of worms of who is considered "root",
> what about "Domain Administrators" or "Power Users", for starters?
>
>>   That means, even if SYSTEM or Administrators have full access to the
>>   file, the POSIX permssion bits will not reflect that fact.  And while
>>   other users get access denied based on the mask value, SYSTEM and
>>   Administrators will never get access denied based on the mask.
> 
> If you want to put this to better use in larger settings it would seem
> preferrable if it was possible to define a list of users to treat this
> way in fstab.  I think this would help with the braindead settings
> NetApp filers are set up these days by default.  That generally means
> that some domain group(s) need to be considered root on the share
> depending on which share you are accessing.

Power Users don't have access to (almost) everything, like Administrators do. The Domain Administrators group is a member of Administrators, so unless I'm missing something, there's no reason to have them explicitely in the DACL. I'm not arguing against configurability though.

-- 
David Macek

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature