Prevent owner to change permissions on network share
Solution 1
Ok, figured it out. In Windows you have only 3 choices on the share level: read, change, full control.
In the appliance you have the full set of permissions on the share level and a dropdown box to choose:
If you choose "Modify" in the upper left corner the checkmarks will be set accordingly. The checkmark "Delete Child" however is not set when you choose "Modify" and this is the problem. If I choose "Modify" and check "Delete Child" on the share level plus setting "Modify" for Domain Users on the Root Directory everything works as expected.
Solution 2
is obviously related to the Sun Appliance. Something like inheritance behaviour or similar on the appliance itself. I will look into that.
No, it is how Windows ACLs work. The owner is always allowed to change ACLs on her objects. You can prevent this for shared content by using a share which is only allowing "Everyone:Modify" permissions as this will "filter out" any change ACL requests at the share level. If you want to allow your Administrators to change ACLs, just add "Storage Admins:Full Control" to the share permissions.
Related videos on Youtube
02 : 15
17 : 48
13 : 55
05 : 43
03 : 12
duenni
Updated on September 18, 2022Comments
-
duenni almost 2 years
we have a Sun Storage Appliance (7110) with a SMB/CIFS share configured. It is joined to our Active Directory. What I am trying to accomplish is: ordinary Domain Users (builtin AD-group) should have access on the drive with rights to modify files and folders but don't change permissions (because a user could lock out everyone else from a folder including administrators). Users in the AD-group "Storage_Admins" should have full control on the drive. There are two places to configure user rights: Share Level ACL and Root Directory ACL. As far as I know the best practice would be to grant Everyone with Full Control on the Share Level and do everything else on the Root Directory ACL but it doesn't work this way. What I did so far:
Share Level: Everyone - Full Control Root Directory: Storage_Admins - Full Control/Domain Users - Modify Result: Domain Users can change permissions on folders they created but not on the root folder
Share Level: Everyone - Modify Root Directory: Storage_Admins - Full Control/Domain Users - Modify Result: Domain Users can not change permissions on folders but Admins also can't change them. Domain Users can't rename or delete folders.
Share Level: Everyone - Modify/Storage_Admins - Full Control Root Directory: Storage_Admins - Full Control/Domain Users - Modify Result: Domain Users can not change permissions on folders but Admins also can't change them. Domain Users can't rename or delete folders.
I have read some article on Technet and found this:
The owner has an implied right to allow or deny other users permission to use the object, and this right cannot be withdrawn
I think thats exactly the problem. If a user creates a folder he is the owner and can change permissions on that folder. So is there anyway to prevent this behaviour? What is a best practice to configure permissions on network drives? Taking the ownership away is not an option because aftwerwards nobody can figure out who created what file. Thanks in advance.
UPDATE:
- Share Level: Everyone - Modify Root Directory: Storage_Admins - Full Control/Domain Users - Modify
This works if I share a folder on a normal windows machine. I shared a folder from a WinXP machine with this settings. A Domain-User can now modify everything except the permissions and members of the Storage_Admins group full control access (thats exactly what I want). So this problem:
Result: Domain Users can not change permissions on folders but Admins also can't change them. Domain Users can't rename or delete folders.
is obviously related to the Sun Appliance. Something like inheritance behaviour or similar on the appliance itself. I will look into that.
-
tony roth about 13 yearsadministrators can alway regain access to anything, they just take ownership then do the perms mod from there. There is another special builtin group "creator owner" with this you can set the permissions the way you want.
-
duenni about 13 yearsThat is okay. But I want to preclude this and prevent that a normal user can mess with permissions. I have seen such a setup in the past, this must be possible somehow. Users should create files and folders, move and delete them etc. but shouldn't be able to touch anything under Properties - Security.
-
tony roth about 13 yearsdid u miss the part about "creator owner" this is the solution to your problem. Give "creator owner" modify on subfolders and files.
-
duenni about 13 yearsIf I do this, I can change the permissions again...
-
tony roth about 13 yearsso when you say "I" you are not an admin correct?
-
duenni about 13 yearsYes I am. I changed permissions with an user who is a member of the "Storage_Admins" group. After that i logged in with a normal user and tested it...
-
duenni about 13 yearsPlease read again, this is what I did - it did not work.
-
the-wabbit about 13 yearsNo, this is not what you did - at the share level you just defined "Everyone:Modify". You need to add "Storage Admins:Full Control" there as well (yes, even if you already defined that at the filesystem level)
-
duenni about 13 yearsIt tried it earlier. It is list point number 3 before I wrote the update in the original posting...
-
the-wabbit about 13 yearsYou are right, must have overlooked that. On Solaris setups this worked for me just as it did in Windows setups. I do not know what the config interface of the storage appliance does with the share, though. Have you contacted Oracle about that?
-
duenni about 13 yearsI stay in contact with the company who sold us the system but I did not receive an answer yet. We will see what they say, I thought I ask at serverfault in the meantime..
