Re: [storage-discuss] ACL for window
Have you considered the ZFS nounlink attribute?
Alan
On 01/22/11 06:11 AM, Eugene Hutorny wrote:
Hello all,
I want to share my experience on setting up ACL's for a Windows XP client.
The goal I had is to have a protection for the files from a 'delete by mistake'.
While trying to achieve the goal I've noticed the following:
1. read_set is not essential for a share to be available for a Windows client.
It seems that Windows requires execute privilege on the share root.
2. With delete globally denied, the user can not create a file in Explorer
(sic!)
It looks like Explorer creates 'New Folder' and then deletes it when user gives
a meaningful name.
3. Also, as a short experience has shown, deleting is indeed needed to fix
'create/copy by mistake' files/folders.
At one moment I even thought that the goal is not reachable due to conflicting
requirements.
That's how I think I can solve it:
- allow deleting by inheritance and
- deny deleting explicitly with no inheritance
- execute the script setting ACL on a weekly basis
This makes newly created files deletable, and freezes the existing.
Here is a short script which I made to manage my shares
# Policy statements
# admin - allow full control on the shares
# media - allow read/write/delete on backup, allow read/write deny delete on
archive, install, media
# everyone - allow read
policy()
{
echo \
owner@:read_set:fd:allow,\
$1\
user:media:modify_set:fd:allow,\
user:admin:full_set:fd:allow,\
user:root:full_set:fd:allow,\
everyone@:read_set:fd:allow
}
# Backup - Allow everyone read, media admin full permissions
# deny deleting from media, install and archive
chmod -R A=`policy user:media:dD:deny,` /tank/archive
chmod -R A=`policy user:media:dD:deny,` /tank/install
chmod -R A=`policy user:media:dD:deny,` /tank/media
# allow deleting from backup
chmod -R A=`policy` /tank/backup
# Allow shares to be accessible from Windows
chmod A+user:media:x:allow /tank/archive
chmod A+user:media:x:allow /tank/install
chmod A+user:media:x:allow /tank/media
chmod A+user:media:x:allow /tank/backup
___
storage-discuss mailing list
storage-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/storage-discuss
Re: [storage-discuss] ACL for window
# man ls nounlink Prevents a file from being deleted. On a directory, the attribute also prevents any changes to the con- tents of the directory. That is, no files within the directory can be removed or renamed. The errno EPERM is returned when attempting to unlink or rename files and directories that are marked as nounlink. Alan On 01/25/11 12:05 PM, Eugene M. Hutorny wrote: To be honest - I have never heard about nounlink :) With you hint, I've searched zfsadmin.pdf and have not found a description of what it does. I would appreciate if you point me to the documentation. Regards, Eugene - Original Message - From: Alan Wright alan.wri...@oracle.com To: Eugene Hutorny eug...@hutorny.in.ua Cc: storage-discuss@opensolaris.org Sent: Tuesday, January 25, 2011 9:45 PM Subject: Re: [storage-discuss] ACL for window Have you considered the ZFS nounlink attribute? Alan On 01/22/11 06:11 AM, Eugene Hutorny wrote: Hello all, I want to share my experience on setting up ACL's for a Windows XP client. ___ storage-discuss mailing list storage-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/storage-discuss
Re: [storage-discuss] ACL for window
Hello all,
I want to share my experience on setting up ACL's for a Windows XP client.
The goal I had is to have a protection for the files from a 'delete by
mistake'.
While trying to achieve the goal I've noticed the following:
1. read_set is not essential for a share to be available for a Windows client.
It seems that Windows requires execute privilege on the share root.
2. With delete globally denied, the user can not create a file in Explorer
(sic!)
It looks like Explorer creates 'New Folder' and then deletes it when user gives
a meaningful name.
3. Also, as a short experience has shown, deleting is indeed needed to fix
'create/copy by mistake' files/folders.
At one moment I even thought that the goal is not reachable due to conflicting
requirements.
That's how I think I can solve it:
- allow deleting by inheritance and
- deny deleting explicitly with no inheritance
- execute the script setting ACL on a weekly basis
This makes newly created files deletable, and freezes the existing.
Here is a short script which I made to manage my shares
# Policy statements
# admin - allow full control on the shares
# media - allow read/write/delete on backup, allow read/write deny delete on
archive, install, media
# everyone - allow read
policy()
{
echo \
owner@:read_set:fd:allow,\
$1\
user:media:modify_set:fd:allow,\
user:admin:full_set:fd:allow,\
user:root:full_set:fd:allow,\
everyone@:read_set:fd:allow
}
# Backup - Allow everyone read, media admin full permissions
# deny deleting from media, install and archive
chmod -R A=`policy user:media:dD:deny,` /tank/archive
chmod -R A=`policy user:media:dD:deny,` /tank/install
chmod -R A=`policy user:media:dD:deny,` /tank/media
# allow deleting from backup
chmod -R A=`policy` /tank/backup
# Allow shares to be accessible from Windows
chmod A+user:media:x:allow /tank/archive
chmod A+user:media:x:allow /tank/install
chmod A+user:media:x:allow /tank/media
chmod A+user:media:x:allow /tank/backup
--
This message posted from opensolaris.org
___
storage-discuss mailing list
storage-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/storage-discuss
Re: [storage-discuss] ACL for window
On 01/11/11 02:29 AM, Ryan Park wrote: Hello all, First I like to thank you for the help. Thank you. I have created smb share on opensolaris 134. joined windows 2008 active directory and map the share to the system. I have couple acl access permission problem. When managing ZFS ACLs from the Windows desktop it should behave in a very similar way to Windows, and there's lots of information on the Internet. Google finds lots of useful information and Microsoft offers lots of knowledge base articles on: http://msdn.microsoft.com/ http://support.microsoft.com/ http://technet.microsoft.com/ First, when I created the file and change delete permission to deny delete permission from windows side. but user still can delete the file. Most likely the parent directory still has Delete Child permission. On Windows this hidden permission is granted automatically when a directory ACE is set to Full Control: File Delete Child directory permission in NTFS http://support.microsoft.com/kb/152763 If that's the case you could try changing the parent directory ACEs to grant Modify rather than Full Control. Second, I have taken the snapshot and restored from windows folder/file property--previous version tab When I delete the file and restores is using different user account. that account has access to the file. Please give me light to guide throught this problem The file ownership on restore may be determined by the Windows client and/or on the inheritance ACEs in the parent directory ACL and which account you used to connect/map the share. ACE Inheritance Rules http://msdn.microsoft.com/en-us/library/aa374924%28VS.85%29.aspx Alan ___ storage-discuss mailing list storage-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/storage-discuss
Re: [storage-discuss] ACL for window
On 01/11/11 02:47 AM, Jaime Cardoso wrote: On 11-01-2011 10:29, Ryan Park wrote: Hello all, First I like to thank you for the help. Thank you. I have created smb share on opensolaris 134. joined windows 2008 active directory and map the share to the system. I have couple acl access permission problem. First, when I created the file and change delete permission to deny delete permission from windows side. but user still can delete the file. Second, I have taken the snapshot and restored from windows folder/file property--previous version tab When I delete the file and restores is using different user account. that account has access to the file. Please give me light to guide throught this problem Thank you Ryan Hello Ryan Where are you trying to create your ACL's? Last time I was in your shoes, I decided to simply create the ACLs in zfs (are you using zfs?) and they worked like a sharm. a simple google search on ZFS ACL will take you to http://blogs.sun.com/marks/entry/zfs_acls where the ZFS's ACL model is pretty neatly explained. Actually, He explains the NFSv4 acl model but never noticed any differences and his examples work. (just remember to change the permissions to the file and, if it's a directory, to the inheritance) As for your restore issue, you had the user restore the file from his Windows machine? If that is the case, a file that is written by a user will be owned by that user, Solaris doesn't know (or care) that it's the same restored file - as he sees it, it isn't. Not necessarily. It depends on the inheritance specified in the parent directory ACL. ACLs to the rescue again, you can simply remove the delete privileges from that directory (hint: also use inherence so your ACLs spread to sub dirs and new files) for that user. Privileges are different from permissions. On Windows, privileges are typically granted to groups whereas access permissions/rights are granted/denied on shares, files and directories. Privileges always override ACLs. For example, members of the Administrators group are granted Take Ownership privilege, which means members of that group can take ownership of a file even if the ACL doesn't grant take ownership permission. I suspect the issue is File Delete Child (FDC) permission, which is hidden (not displayed) on the Windows desktop but is automatically granted if an ACE is set to Full Control. You can see FDC (the 'D' bit) using /bin/ls -V on Solaris. Alan Now, forgive me if you know a lot about solaris, I have no way of knowing that so, if I'm being too basic, forgive me but, since this ACLs are in ZFS and not in samba, you can simply try them by creating a new directory with some files inside your zfs pool instead of having a test share for your users. you know the user name of your samba clients so, simply by using su - user you can test whatever you want without compromising production. ___ storage-discuss mailing list storage-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/storage-discuss ___ storage-discuss mailing list storage-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/storage-discuss
Re: [storage-discuss] ACL for window
Thank you, Andrew and Alan I will be trying your recommendations and update the result to everyone Thank you Ryan On Thu, Jan 13, 2011 at 5:52 PM, Alan Wright alan.wri...@oracle.com wrote: On 01/11/11 02:29 AM, Ryan Park wrote: Hello all, First I like to thank you for the help. Thank you. I have created smb share on opensolaris 134. joined windows 2008 active directory and map the share to the system. I have couple acl access permission problem. When managing ZFS ACLs from the Windows desktop it should behave in a very similar way to Windows, and there's lots of information on the Internet. Google finds lots of useful information and Microsoft offers lots of knowledge base articles on: http://msdn.microsoft.com/ http://support.microsoft.com/ http://technet.microsoft.com/ First, when I created the file and change delete permission to deny delete permission from windows side. but user still can delete the file. Most likely the parent directory still has Delete Child permission. On Windows this hidden permission is granted automatically when a directory ACE is set to Full Control: File Delete Child directory permission in NTFS http://support.microsoft.com/kb/152763 If that's the case you could try changing the parent directory ACEs to grant Modify rather than Full Control. Second, I have taken the snapshot and restored from windows folder/file property--previous version tab When I delete the file and restores is using different user account. that account has access to the file. Please give me light to guide throught this problem The file ownership on restore may be determined by the Windows client and/or on the inheritance ACEs in the parent directory ACL and which account you used to connect/map the share. ACE Inheritance Rules http://msdn.microsoft.com/en-us/library/aa374924%28VS.85%29.aspx Alan ___ storage-discuss mailing list storage-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/storage-discuss
Re: [storage-discuss] ACL for window
On 11-01-2011 10:29, Ryan Park wrote: Hello all, First I like to thank you for the help. Thank you. I have created smb share on opensolaris 134. joined windows 2008 active directory and map the share to the system. I have couple acl access permission problem. First, when I created the file and change delete permission to deny delete permission from windows side. but user still can delete the file. Second, I have taken the snapshot and restored from windows folder/file property--previous version tab When I delete the file and restores is using different user account. that account has access to the file. Please give me light to guide throught this problem Thank you Ryan Hello Ryan Where are you trying to create your ACL's? Last time I was in your shoes, I decided to simply create the ACLs in zfs (are you using zfs?) and they worked like a sharm. a simple google search on ZFS ACL will take you to http://blogs.sun.com/marks/entry/zfs_acls where the ZFS's ACL model is pretty neatly explained. Actually, He explains the NFSv4 acl model but never noticed any differences and his examples work. (just remember to change the permissions to the file and, if it's a directory, to the inheritance) As for your restore issue, you had the user restore the file from his Windows machine? If that is the case, a file that is written by a user will be owned by that user, Solaris doesn't know (or care) that it's the same restored file - as he sees it, it isn't. ACLs to the rescue again, you can simply remove the delete privileges from that directory (hint: also use inherence so your ACLs spread to sub dirs and new files) for that user. Now, forgive me if you know a lot about solaris, I have no way of knowing that so, if I'm being too basic, forgive me but, since this ACLs are in ZFS and not in samba, you can simply try them by creating a new directory with some files inside your zfs pool instead of having a test share for your users. you know the user name of your samba clients so, simply by using su - user you can test whatever you want without compromising production. ___ storage-discuss mailing list storage-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/storage-discuss
