Re: [OpenIndiana-discuss] ACL problem

[Michelle]

I'm definitely having problems with this inherit_only flag.

What starts as this...
drwxrwxrwx+  2 Joe Family  2 Dec 13 15:40 guest_folder

0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
 /append_data/read_xattr/execute/delete_child/read_attributes
 /delete/read_acl:file_inherit/dir_inherit:allow

1:group@:list_directory/read_data/add_file/write_data/add_subdirectory
 /append_data/read_xattr/execute/delete_child/read_attributes
 /delete/read_acl:file_inherit/dir_inherit:allow
2:everyone@:list_directory/read_data/add_file/write_data
 /add_subdirectory/append_data/read_xattr/execute/delete_child
 /read_attributes/delete/read_acl:file_inherit/dir_inherit:allow

... if a guest (who has access under "everyone) writes a file or makes a
directory in that folder, then the ownership is not Joe, but the guest
account.

Adding the inherit_only flag changes to this...

d-+  2 Joe Family  2 Dec 13 15:40 guest_folder

0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
 /append_data/read_xattr/execute/delete_child/read_attributes
 /delete/read_acl:file_inherit/dir_inherit/inherit_only:allow
1:group@:list_directory/read_data/add_file/write_data/add_subdirectory
 /append_data/read_xattr/execute/delete_child/read_attributes
 /delete/read_acl:file_inherit/dir_inherit/inherit_only:allow
2:everyone@:list_directory/read_data/add_file/write_data
 /add_subdirectory/append_data/read_xattr/execute/delete_child
 /read_attributes/delete/read_acl:file_inherit/dir_inherit
 /inherit_only:allow

...and not even Joe can see the directory guest_folder in an SFTP
listing, despite being the owner and having the rights.
There's something obvious going on here that I clearly haven't got to
grips with.

All I'm trying to do, is ensure that all files written within a
directory, have the same ownership as the directory itself, no matter
what account actually writes them.



___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] ACL problem

[Peter Tribble]

On Sun, Dec 13, 2015 at 3:02 PM, Michelle  wrote:

>
> All I'm trying to do, is ensure that all files written within a
> directory, have the same ownership as the directory itself, no matter
> what account actually writes them.
>

Unfortunately, that's something you can't do.

There's the setgid bit you can set on a directory, which ensures all newly
created
files have the same group as the directory, but there's no corresponding
facility for
the file owner.

Using ACLs can allow you limited control over permissions - and you can
extend
permissions to multiple users and groups (rather than the single group that
you
normally use with traditional unix permissions). But even with ACLs you can
only
set the initial permissions on newly created files. If the application
you're using
to add the files starts to manipulate permissions itself (and many do) then
even ACLs
can't help you.

What I normally do is:

1. Use basic unix groups to control access

2. Use the permissions of the top-level directory to act as a primary
access filter -
make it group owned by the appropriate group, usually setgid, and don't
allow any access
to other if you want to keep it private (mode 770).

3. If you can, control the application(s). For instance, you can tell samba
what the default
permissions should be.

4. For when all else fails, have a cron job that fixes up anything that's
become broken.

-- 
-Peter Tribble
http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/
___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

[OpenIndiana-discuss] ACL problem

[Michelle]

Hi Folks,

I've been having problems with ACL's. My understanding is just not
getting there and reading the Solaris ZFS Administration Guide isn't
sinking in.

This is roughly what I want to do...

User, Joe
Group Family
Other

Set up a directory, (say Movies) to which Joe is the owner. Family can
access and read, but not write, and Other can't access at all.

Joe's ownership of files and all ACL permissions are to be propagated to
any file or directory created, by whatever means, be it SFTP or CIFS
access to the share.

There is another situation where I want "Family" to be able to create,
delete and modify files and directories freely, but for ownership of
file and directories to still explicitly be Joe.

There is a chance that my previous experiments may be messing things up,
so the other question is, does deleting a directory and re-instating it
clear all previous extended permission settings, or must I issue a
command to clear all flags before my next failed attempt :-) ... as
obviously deleting the .$EXTEND file is not allowed.

Many thanks,

Michelle.


___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] ACL problem

[Guenther Alka]

From outside view and with some restrictions due ZFS beeing a Unix 
filesystem, OI with the Sun CIFS server behaves like a Windows 2003 
server with NTFS. No way to go around as this was the prime development 
idea.


This is different to SAMBA with the idea of allowing SMB access to a 
Linux/ Unix server where their concepts based on uid/gid and Unix 
permissions stay intact - even with (Posix) ACL.




Am 13.12.2015 um 19:02 schrieb Michelle:

Thanks Gea,

Unfortunately I'm building this server for a friend. I only have Linux
Mint machines, and the OI box.

I used to use Netware, and when I started with AD, I had a bit of a
freak out, as it was sort of completely the reverse!

Your notes are valuable. I'll put them in my keep folder.

For this case, after what Peter said, the user/group name is the most
important thing, so I'll tell my friend just to not do any file
transfers at 3am :-D

Michelle.


___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss



___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] ACL problem

[Michelle]

Thanks Gea,

Unfortunately I'm building this server for a friend. I only have Linux
Mint machines, and the OI box.

I used to use Netware, and when I started with AD, I had a bit of a
freak out, as it was sort of completely the reverse!

Your notes are valuable. I'll put them in my keep folder.

For this case, after what Peter said, the user/group name is the most
important thing, so I'll tell my friend just to not do any file
transfers at 3am :-D

Michelle.


___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] ACL problem

[Guenther Alka]

Some principles with ACLs on Solarish CIFS

- They are too complicated for CLI, set them via Windows as root or a web-ui
- set aclinherit to restricted if you want to keep owner from parent 
directory (ex root)

- On Windows ntfs you can remove/lockout admin so admin has no access
   On Solarish root has always access and owner can always modify 
permissions
- Solarish use Windows SID, nfs4 ACL and Windows SMB groups (as Unix 
groups are not Windows compatibel)
- never use a chmod to Unix permissions like 750 as this removes ACL 
inheritance
- Do not set deny rules on Windows as they work different to Unix (First 
deny then allow vs keep order of rules)


What I would do for simplicity:
- create users and SMB groups with user as members on OI
- create folders on Windows as root
- assign allow permissions based on User and SMB groups on Windows
(without an allow you have no access)

If you need deny rules or access to files where admin is removed, you 
can use a Web-UI like my napp-it



Gea

Am 13.12.2015 um 16:02 schrieb Michelle:

I'm definitely having problems with this inherit_only flag.

What starts as this...
drwxrwxrwx+  2 Joe Family  2 Dec 13 15:40 guest_folder

0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
  /append_data/read_xattr/execute/delete_child/read_attributes
  /delete/read_acl:file_inherit/dir_inherit:allow

1:group@:list_directory/read_data/add_file/write_data/add_subdirectory
  /append_data/read_xattr/execute/delete_child/read_attributes
  /delete/read_acl:file_inherit/dir_inherit:allow
2:everyone@:list_directory/read_data/add_file/write_data
  /add_subdirectory/append_data/read_xattr/execute/delete_child
  /read_attributes/delete/read_acl:file_inherit/dir_inherit:allow

... if a guest (who has access under "everyone) writes a file or makes a
directory in that folder, then the ownership is not Joe, but the guest
account.

Adding the inherit_only flag changes to this...

d-+  2 Joe Family  2 Dec 13 15:40 guest_folder

0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
  /append_data/read_xattr/execute/delete_child/read_attributes
  /delete/read_acl:file_inherit/dir_inherit/inherit_only:allow
1:group@:list_directory/read_data/add_file/write_data/add_subdirectory
  /append_data/read_xattr/execute/delete_child/read_attributes
  /delete/read_acl:file_inherit/dir_inherit/inherit_only:allow
2:everyone@:list_directory/read_data/add_file/write_data
  /add_subdirectory/append_data/read_xattr/execute/delete_child
  /read_attributes/delete/read_acl:file_inherit/dir_inherit
  /inherit_only:allow

...and not even Joe can see the directory guest_folder in an SFTP
listing, despite being the owner and having the rights.
There's something obvious going on here that I clearly haven't got to
grips with.

All I'm trying to do, is ensure that all files written within a
directory, have the same ownership as the directory itself, no matter
what account actually writes them.



___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss



___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] ACL problem

[Michelle]

On Sun, 2015-12-13 at 17:11 +, Peter Tribble wrote:
> Unfortunately, that's something you can't do.

Ah. Bugger.

Looks like back to cron jobs and I'll abandon the ACL approach then!

Many thanks for taking the time to respond.

Michelle.


___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss