Rights issues _ Full control vs modify

keerby

Cadet
Joined
Mar 5, 2021
Messages
2
Hi

I'm a little bit confused with security in TrueNas.
In the Windows NTFS world as per i understand/see, modify = Read, Write, Modify and Execute and Full control = Same+ the possibility to modify the security.

In truenas 12.0-u2.1 i've set a public share with everyone modify and admins full control.
I just noticed that on windows i was able to add someone in the security tab with a standard user.

it's working fine if i play with advanced permission in truenas but is it a bug or an intended choice? is so, what is the difference between the 2 roles?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,553
Hi

I'm a little bit confused with security in TrueNas.
In the Windows NTFS world as per i understand/see, modify = Read, Write, Modify and Execute and Full control = Same+ the possibility to modify the security.

In truenas 12.0-u2.1 i've set a public share with everyone modify and admins full control.
I just noticed that on windows i was able to add someone in the security tab with a standard user.

it's working fine if i play with advanced permission in truenas but is it a bug or an intended choice? is so, what is the difference between the 2 roles?
Owner of file is able to modify the ACL. Same as is case in windows. If your situation is different, please PM me full details on how to reproduce.
 

keerby

Cadet
Joined
Mar 5, 2021
Messages
2
Owner of file is able to modify the ACL -> yes but only if "create owner" group is present. it was not in my case.
--
just understand my issue, i didn't realize that "apply permissions to child datasets" enable inherited permissions... i was focus on that "special permission" checkbox but not realized that rights can come elsewhere. That's now working as expected.
-
Thanks for your quick answer and support
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,553
1615228078965.png


^^^ Created file with NULL DACL


1615228172877.png


Added new ACL entriy.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,553
The ability to restrict what the owner of a file could do with it was not introduced until around Server 2008 with the special SID S-1-3-4 (OWNER_RIGHTS).
 
Top