Re: [OpenIndiana-discuss] ACL problem
I'm definitely having problems with this inherit_only flag. What starts as this... drwxrwxrwx+ 2 Joe Family 2 Dec 13 15:40 guest_folder 0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/execute/delete_child/read_attributes /delete/read_acl:file_inherit/dir_inherit:allow 1:group@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/execute/delete_child/read_attributes /delete/read_acl:file_inherit/dir_inherit:allow 2:everyone@:list_directory/read_data/add_file/write_data /add_subdirectory/append_data/read_xattr/execute/delete_child /read_attributes/delete/read_acl:file_inherit/dir_inherit:allow ... if a guest (who has access under "everyone) writes a file or makes a directory in that folder, then the ownership is not Joe, but the guest account. Adding the inherit_only flag changes to this... d-+ 2 Joe Family 2 Dec 13 15:40 guest_folder 0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/execute/delete_child/read_attributes /delete/read_acl:file_inherit/dir_inherit/inherit_only:allow 1:group@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/execute/delete_child/read_attributes /delete/read_acl:file_inherit/dir_inherit/inherit_only:allow 2:everyone@:list_directory/read_data/add_file/write_data /add_subdirectory/append_data/read_xattr/execute/delete_child /read_attributes/delete/read_acl:file_inherit/dir_inherit /inherit_only:allow ...and not even Joe can see the directory guest_folder in an SFTP listing, despite being the owner and having the rights. There's something obvious going on here that I clearly haven't got to grips with. All I'm trying to do, is ensure that all files written within a directory, have the same ownership as the directory itself, no matter what account actually writes them. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] ACL problem
On Sun, Dec 13, 2015 at 3:02 PM, Michellewrote: > > All I'm trying to do, is ensure that all files written within a > directory, have the same ownership as the directory itself, no matter > what account actually writes them. > Unfortunately, that's something you can't do. There's the setgid bit you can set on a directory, which ensures all newly created files have the same group as the directory, but there's no corresponding facility for the file owner. Using ACLs can allow you limited control over permissions - and you can extend permissions to multiple users and groups (rather than the single group that you normally use with traditional unix permissions). But even with ACLs you can only set the initial permissions on newly created files. If the application you're using to add the files starts to manipulate permissions itself (and many do) then even ACLs can't help you. What I normally do is: 1. Use basic unix groups to control access 2. Use the permissions of the top-level directory to act as a primary access filter - make it group owned by the appropriate group, usually setgid, and don't allow any access to other if you want to keep it private (mode 770). 3. If you can, control the application(s). For instance, you can tell samba what the default permissions should be. 4. For when all else fails, have a cron job that fixes up anything that's become broken. -- -Peter Tribble http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/ ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] ACL problem
Hi Folks, I've been having problems with ACL's. My understanding is just not getting there and reading the Solaris ZFS Administration Guide isn't sinking in. This is roughly what I want to do... User, Joe Group Family Other Set up a directory, (say Movies) to which Joe is the owner. Family can access and read, but not write, and Other can't access at all. Joe's ownership of files and all ACL permissions are to be propagated to any file or directory created, by whatever means, be it SFTP or CIFS access to the share. There is another situation where I want "Family" to be able to create, delete and modify files and directories freely, but for ownership of file and directories to still explicitly be Joe. There is a chance that my previous experiments may be messing things up, so the other question is, does deleting a directory and re-instating it clear all previous extended permission settings, or must I issue a command to clear all flags before my next failed attempt :-) ... as obviously deleting the .$EXTEND file is not allowed. Many thanks, Michelle. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] ACL problem
From outside view and with some restrictions due ZFS beeing a Unix filesystem, OI with the Sun CIFS server behaves like a Windows 2003 server with NTFS. No way to go around as this was the prime development idea. This is different to SAMBA with the idea of allowing SMB access to a Linux/ Unix server where their concepts based on uid/gid and Unix permissions stay intact - even with (Posix) ACL. Am 13.12.2015 um 19:02 schrieb Michelle: Thanks Gea, Unfortunately I'm building this server for a friend. I only have Linux Mint machines, and the OI box. I used to use Netware, and when I started with AD, I had a bit of a freak out, as it was sort of completely the reverse! Your notes are valuable. I'll put them in my keep folder. For this case, after what Peter said, the user/group name is the most important thing, so I'll tell my friend just to not do any file transfers at 3am :-D Michelle. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] ACL problem
Thanks Gea, Unfortunately I'm building this server for a friend. I only have Linux Mint machines, and the OI box. I used to use Netware, and when I started with AD, I had a bit of a freak out, as it was sort of completely the reverse! Your notes are valuable. I'll put them in my keep folder. For this case, after what Peter said, the user/group name is the most important thing, so I'll tell my friend just to not do any file transfers at 3am :-D Michelle. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] ACL problem
Some principles with ACLs on Solarish CIFS - They are too complicated for CLI, set them via Windows as root or a web-ui - set aclinherit to restricted if you want to keep owner from parent directory (ex root) - On Windows ntfs you can remove/lockout admin so admin has no access On Solarish root has always access and owner can always modify permissions - Solarish use Windows SID, nfs4 ACL and Windows SMB groups (as Unix groups are not Windows compatibel) - never use a chmod to Unix permissions like 750 as this removes ACL inheritance - Do not set deny rules on Windows as they work different to Unix (First deny then allow vs keep order of rules) What I would do for simplicity: - create users and SMB groups with user as members on OI - create folders on Windows as root - assign allow permissions based on User and SMB groups on Windows (without an allow you have no access) If you need deny rules or access to files where admin is removed, you can use a Web-UI like my napp-it Gea Am 13.12.2015 um 16:02 schrieb Michelle: I'm definitely having problems with this inherit_only flag. What starts as this... drwxrwxrwx+ 2 Joe Family 2 Dec 13 15:40 guest_folder 0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/execute/delete_child/read_attributes /delete/read_acl:file_inherit/dir_inherit:allow 1:group@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/execute/delete_child/read_attributes /delete/read_acl:file_inherit/dir_inherit:allow 2:everyone@:list_directory/read_data/add_file/write_data /add_subdirectory/append_data/read_xattr/execute/delete_child /read_attributes/delete/read_acl:file_inherit/dir_inherit:allow ... if a guest (who has access under "everyone) writes a file or makes a directory in that folder, then the ownership is not Joe, but the guest account. Adding the inherit_only flag changes to this... d-+ 2 Joe Family 2 Dec 13 15:40 guest_folder 0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/execute/delete_child/read_attributes /delete/read_acl:file_inherit/dir_inherit/inherit_only:allow 1:group@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/execute/delete_child/read_attributes /delete/read_acl:file_inherit/dir_inherit/inherit_only:allow 2:everyone@:list_directory/read_data/add_file/write_data /add_subdirectory/append_data/read_xattr/execute/delete_child /read_attributes/delete/read_acl:file_inherit/dir_inherit /inherit_only:allow ...and not even Joe can see the directory guest_folder in an SFTP listing, despite being the owner and having the rights. There's something obvious going on here that I clearly haven't got to grips with. All I'm trying to do, is ensure that all files written within a directory, have the same ownership as the directory itself, no matter what account actually writes them. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] ACL problem
On Sun, 2015-12-13 at 17:11 +, Peter Tribble wrote: > Unfortunately, that's something you can't do. Ah. Bugger. Looks like back to cron jobs and I'll abandon the ACL approach then! Many thanks for taking the time to respond. Michelle. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss