Re: [cifs-discuss] CIFS ACLs not making sense

Jordan Brown Tue, 08 Dec 2009 08:52:28 -0800

See all those "i"s in the inheritance column, where everything says "fdi"?


That means:

         inherit_only (i)

             When placed on a directory,  do  not  apply  to  the
             directory,  only  to  newly created files and direc-
             tories. This flag requires that either  file_inherit
             and or dir_inherit is also specified.

Net result, none of those ACL entries apply to the directory. They allapply only to children of that directory. Since no ACL entries apply tothe directory, all access is denied.


Ryan John wrote:

Hi Alan,

Thanks for the prompt help.
Unfortunately, I still have a problem.

I think I followed you correctly, and did:
chmod A- /array0/john
chown ryanj:bsse-it /array0/john
chmod A=owner@:rwxpdDaARWcCos:fdi:allow /array0/john
chmod A+group@:rwxpdDaARWcCos:fdi:allow /array0/john
chmod A+user:ryanj:rwxpdDaARWcCos:fdi:allow /array0/john
chmod A+group:bsse-it:rwxpdDaARWcCos:fdi:allow /array0/john

# ls -lVd john
d---------+  3 ryanj    bsse-it        3 Dec  8 09:24 john
          group:bsse-it:rwxpdDaARWcCos:fdi----:allow
             user:ryanj:rwxpdDaARWcCos:fdi----:allow
                 group@:rwxpdDaARWcCos:fdi----:allow
                 owner@:rwxpdDaARWcCos:fdi----:allow

But I still get "Access denied" from Windows.

John.

-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Alan M 
Wright
Sent: Tuesday, 8 December 2009 11:06 AM
To: Ryan John
Cc: [email protected]
Subject: Re: [cifs-discuss] CIFS ACLs not making sense

Using chmod with UNIX permissions can lead to confusing results, as
can deny ACEs, unless you really need them.  The deny ACEs in the
trivial ACL are primarily there to deal with corner cases (such as
inverted bitmaps that give the POSIX group more permission than the
owner) and for NFSv4 spec compliance.

ZFS explicitly denies access if you get to the end of the ACL and
there are desired access bits that have not been granted.  If your
access control requirements are typical, you may not need those deny
entries.

If you want 770, you could start with something like this (below).
The inheritance bits (fd) help with Windows but they are not required
if you only use NFS.  You may want to look at the aclinherit and
aclmode sections in the zfs(1M) man page.

        chown john:bsse-it                      /array0/jjohn
        chmod A=owner@:full_set:allow:fd        /array0/john
        chmod A+group@:full_set:allow:fd        /array0/john

If you want the file owned by root:

        chown root:root                         /array0/john
        chmod A=user:john:full_set:fd:allow     /array0/john
        chmod A+group:bsse-it:full_set:fd:allow /array0/john

This will result in ---------+ appearing on NFS clients because the NFS
server only presents the owner@, group@ and everyone@ permissions (even
if the file is owned by john:bsse-it).  This is an NFSv4 requirement
and it may or may not affect access depending on how applications check
permissions.  So what you might want is:

        chown root:root                         /array0/john
        chmod A=owner@:full_set:allow:fd        /array0/john
        chmod A+group@:full_set:allow:fd        /array0/john
        chmod A+user:john:full_set:fd:allow     /array0/john
        chmod A+group:bsse-it:full_set:fd:allow /array0/john

I haven't tried this (beware typos) but you should see rwxrwx---+ and
you should have access via john and bsse-it.

Alan
--

On 12/08/09 00:28, Ryan John wrote:

Hi,

I've been struggling with this for a while, and I'm either a bit thick, or I've 
got something wrong.
I'm working in domain mode, and my OS is snv_123
My unix userids come from LDAP and my groups come from NIS.
My nsswitch.conf is:
passwd:     files ldap ad
group:      files nis ad

I've created a CIFS share:
zfs create -o casesensitivity=mixed -o nbmand=on  dataPool/john
zfs set mountpoint=/array0/john
zfs set aclmode=passthrough dataPool/john
zfs set aclinherit=passthrough dataPool/john
zfs set sharesmb=on dataPool/john
zfs set sharesmb=name=john dataPool/john

Then I set some ACLs
chmod A- /array0/john
chmod 770 /array0/john
chmod A0=owner@::fdi:deny /array0/john
chmod A1=owner@:rwxpdDaRcs:fdi:allow /array0/john
chmod A2=group@::fdi:deny /array0/john
chmod A3=group@:rwxpdDaRcs:fdi:allow /array0/john
chmod A4=everyone@:rwxpaARWcCos:fdi:deny /array0/john
chmod A5=everyone@::fdi:allow /array0/john
chmod A+group:domain1:rwxpdDaRcs:fdi:allow /array0/john
chmod A+group:bsse-it:rwxpdDaRcs:fdi:allow /array0/john

Then it looks like this:
# ls -lVd john
d---------+  2 root     root           2 Dec  8 09:12 john
          group:bsse-it:rwxpdDa-R-c--s:fdi----:allow
          group:domain1:rwxpdDa-R-c--s:fdi----:allow
                 owner@:--------------:fdi----:deny
                 owner@:rwxpdDa-R-c--s:fdi----:allow
                 group@:--------------:fdi----:deny
                 group@:rwxpdDa-R-c--s:fdi----:allow
              everyone@:rwxp--aARWcCos:fdi----:deny
              everyone@:--------------:fdi----:allow

John (ryanj) is a member of the bsse-it group, although it's not his primary 
group:
# id -a ryanj
uid=23975(ryanj) gid=1029(domain1) .... 12933(bsse-it),1029(domain1)

I thought that would be enough to allow ryanj to access to the share, but on a 
Windows PC, I can see the share, but get "Access is
denied"

If I then set the normal POSIX permissions with:
# chgrp bsse-it john
# chmod 770 john
# ls -lVd john
drwxrwx---+  2 root     bsse-it        2 Dec  8 09:12 john
          group:bsse-it:rwxpdDa-R-c--s:fdi----:allow
          group:domain1:rwxpdDa-R-c--s:fdi----:allow
                 owner@:--------------:fdi----:deny
                 owner@:rwxpdDa-R-c--s:fdi----:allow
                 group@:--------------:fdi----:deny
                 group@:rwxpdDa-R-c--s:fdi----:allow
              everyone@:rwxp--aARWcCos:fdi----:deny
              everyone@:--------------:fdi----:allow
                 owner@:--------------:-------:deny
                 owner@:rwxp---A-W-Co-:-------:allow
                 group@:--------------:-------:deny
                 group@:rwxp----------:-------:allow
              everyone@:rwxp---A-W-Co-:-------:deny
              everyone@:------a-R-c--s:-------:allow

I can access the share and create new folders.
It seems like it's completely ignoring the NFSv4 ACLs.

Can anyone help me?

Thanks in advance
John Ryan








------------------------------------------------------------------------

_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss



------------------------------------------------------------------------

_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss

_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss

Re: [cifs-discuss] CIFS ACLs not making sense

Reply via email to