Normally, the sysadmin appoints a group that has ownership, or as only right, the right to change permissions (and thus add rights). Ownership is a bit nasty, it will mess up permissions. The right to change permissions requires better logging to avoid people doing unauthorized things.
When procedures require the admins to access shares they give themselves, the auditors, or whomever the required acces, but this is then logged.
Afterwards they resore permissions to a state where only those users that require access to the share for their work have access, and admins are able to add rights.
In a POSIX filesystem, only the owner of a file or directory and the superuser can modify the permissions and ACLs on a file.
Even if Samba can emulate the “multi-owner” feature of Windows, our NethServer inherited the Posix ACL way and we cannot change it now. So in NS only root or the file owner can change the file permissions. With admin users option, root privileges can be easily granted to members of “Domain Admins” (or any other user/group).
We could implement a new shared folder profile flavor with Windows ACL in the future though.
What could happen in NethServer is:
The Domain Admins log on Server Manager, enable the special permissions perform privileged operations, then disable special permissions.
What is preventing us from mounting the filesystem with extended atrributes, and enabling Windows ACL’s ? SAMBA4 supports it out of the box, the needed modules are already loaded and afaik the only thing missing in the chain is the filesystem being mounted the correct way for this to work ? (On my ToTest list … )
If we implement permissions at the Windows/Samba ACL level we actually implement a permissions layer over the filesystem that is visible only to SMB clients. In other words if an user access to files with SCP or NFS the Windows ACLs are not enforced.
A similar situation happens with Dovecot. IMAP ACLs are implemented by the IMAP server. Everything under /var/lib/nethserver/vmail is owned by vmail user (dovecot). As long as everyone accesses mail through IMAP, ACLs are effective.
We can implement Windows ACL only if Samba is the only service that can access shared folders.
IIRC XFS (the default CentOS7 filesystem) has extended attributes enabled by default
test case 1.3
login with “admin” => change ACL on all content o.k.
test case 1.4
login with testuser 1 => create content o.k.
login with “admin” => access denied to home folder testuser
granted full controll to home directories => access still denied! test failed
Test case 2.0 account provider LDAP:
alternatives --list
libnssckbi.so.x86_64 auto /usr/lib64/pkcs11/p11-kit-trust.so
cifs-idmap-plugin auto /usr/lib64/cifs-utils/cifs_idmap_sss.so
ld auto /usr/bin/ld.bfd
mta auto /usr/sbin/sendmail.postfix
libwbclient.so.0.13-64 auto /usr/lib64/sssd/modules/libwbclient.so.0.13.0