ACLs and MS Office

[hbadami]

Hi All

I have been asked by my company management to look into moving file share server from Windows 2003 server OS to Ubuntu 10.4 using Samba. I have successfully configured active directory authentication using winbind and have configured samba and am able to access my file share successfully.

The complication arises as a result of implementing ACL mappings on Linux, as I need fine grained control over specific subfolders and files. From what I have read, I cant map all 13 permissions to respective unix rwx permissions. I have a use case where a certain group called A has read write execute rights on a folder/file but they shouldnt be allowed to delete the specific folder/file. On windows, all I have to do is set up my security permissions to deny 'delete subfolders and files' and 'delete' and it works well. In linux world I understand I cant do this as the user has rwx permissions on the folder/file and he can do whatever he likes.

I googled a lot around this issue and found that if you set up sticky bit on the directory I can still read and write from the file or directory and wont be able to delete it. It works in case of most document types but MS office. From samba help I figured that "Word does the following when you modify/change a Word document: MS Word creates a new document with a temporary name. Word then closes the old document and deletes it, then renames the new document to the original document name." (from samba how to) So if the sticky bit is set on the directory containing word files for instance, linux wont be able to delete the file (as required in write operations by MS office) and hence comes with an error.

I shall be highly obliged if some one can shed light on this issue. Alternatively I would love to learn about other solutions for the use case mentioned.

Thanks in advance

Hass.

[rcgreen]

It is long and complicated.

People have asked on the Samba mailing list how is it possible to protect files or directories from deletion by users. For example, Windows NT/2K/XP provides the capacity to set access controls on a directory into which people can write files but not delete them. It is possible to set an ACL on a Windows file that permits the file to be written to but not deleted. Such concepts are foreign to the UNIX operating system file space. Within the UNIX file system anyone who has the ability to create a file can write to it. Anyone who has write permission on the directory that contains a file and has write permission for it has the capability to delete it.

For the record, in the UNIX environment the ability to delete a file is controlled by the permissions on the directory that the file is in. In other words, a user can delete a file in a directory to which that user has write access, even if that user does not own the file.

Of necessity, Samba is subject to the file system semantics of the host operating system. Samba is therefore limited in the file system capabilities that can be made available through Windows ACLs, and therefore performs a "best fit" translation to POSIX ACLs. Some UNIX file systems do, however support, a feature known as extended attributes. Only the Windows concept of inheritance is implemented by Samba through the appropriate extended attribute.

Chapter*16.*File, Directory, and Share Access Controls