Re: [zfs-discuss] Best practice for setting ACL
So Cindy, Simon (or anyone else)... now that we are over a year past when Simon wrote his excellent blog introduction, is there an updated best practices for ACLs with CIFS? Or, is this blog entry still the best word on the street? In my case, I am supporting multiple PCs (Workgroup) and Macs; running OpenSolaris B134. Thanks, Craig -- This message posted from opensolaris.org ___ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
Re: [zfs-discuss] Best practice for setting ACL
It's been a while, and finally I got the time to do some testing -- Actually I only knew about aclinherit -- which I've found is best set as passthrough. Setting aclmode to passthrough, solved the issues I experienced earlier. Wonderful! Thanks alot! -- This message posted from opensolaris.org ___ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
Re: [zfs-discuss] Best practice for setting ACL
Hey, thanks for replying! I've been accessing my server with samba, but now that I'm switching over to nfs, I can't seem to get the ACL right.. Basically, moving and overwriting files seems to work fine. But if I copy a file - either from an external source or internally on the server - the permissions get messed up. Either I lose permission to write to the file, or I lose all permissions.. My access hierarchy: 1. Master group with full access to all files on server 2. Master group with only read access to all files on server 3. Local group with rw access to only this filesystem 4. Local group with read access to only this filesystem 5. Deny everyone else The template used on the filesystem: group:su:full_set:f:allow,\ group:su:full_set:d:allow,\ group:su::f:deny,\ group:su::d:deny,\ group:vu:read_set:f:allow,\ group:vu:read_set:d:allow,\ group:vu:wxpdDAWCos:f:deny,\ group:vu:wxpdDAWCos:d:deny,\ group:isorw:full_set:f:allow,\ group:isorw:full_set:d:allow,\ group:isorw::f:deny,\ group:isorw::d:deny,\ group:isor:read_set:f:allow,\ group:isor:read_set:d:allow,\ group:isor:wxpdDAWCos:f:deny,\ group:isor:wxpdDAWCos:d:deny,\ everyone@::f:allow,\ everyone@::d:allow,\ everyone@:full_set:f:deny,\ everyone@:full_set:d:deny \ If I make a new file on the server, the permissions looks fine, and I get full access: --+ 1 1000 workers0 Jan 28 20:35 testfile group:su:rwxpdDaARWcCos:--I:allow group:su:--:--I:deny group:vu:r-a-R-c---:--I:allow group:vu:-wxpdD-A-W-Cos:--I:deny group:isorw:rwxpdDaARWcCos:--I:allow group:isorw:--:--I:deny group:isor:r-a-R-c---:--I:allow group:isor:-wxpdD-A-W-Cos:--I:deny everyone@:--:--I:allow everyone@:rwxpdDaARWcCos:--I:deny If I make a copy of the file, however, it gets messy: --+ 1 1000 workers0 Aug 29 2022 testfile_copy group:su:rwxp--:---:deny group:su:rwxpdDaARWcCos:--I:allow group:su:--:--I:deny group:vu:r-:---:deny group:vu:r-a-R-c---:--I:allow group:vu:-wxpdD-A-W-Cos:--I:deny group:isorw:rwxp--:---:deny group:isorw:rwxpdDaARWcCos:--I:allow group:isorw:--:--I:deny group:isor:r-:---:deny group:isor:r-a-R-c---:--I:allow group:isor:-wxpdD-A-W-Cos:--I:deny everyone@:--:--I:allow everyone@:dDaARWcCos:--I:deny owner@:rwxp--:---:deny owner@:---A-W-Co-:---:allow group@:rwxp--:---:deny group@:--:---:allow everyone@:rwxp---A-W-Co-:---:deny everyone@:--a-R-c--s:---:allow Why does the extra entries get added? The extra entry at the top, seem to block me from accessing the file. On 01/25/2010 09:18 PM, Cindy Swearingen wrote: Hi CD, Practical in what kind of environment? What are your goals? Do you want the ACL deny entries to be inherited? Do you plan to use CIFS to access these files + ACLs from systems running Windows? Thanks, Cindy On 01/25/10 07:21, CD wrote: Hello forum. I'm in the process of re-organizing my server and ACL-settings. I've seen so many different ways of doing ACL, which makes me wonder how I should do it myself. This is obviously the easiest way, only describing the positive permissions: /usr/bin/chmod -R A=\ group:sa:full_set:fd:allow,\ group:vk:read_set:fd:allow \ However, I've seen people split each line, so you getone for each inheritance-setting: group:sa:full_set:f:allow,\ group:sa:full_set:d:allow,\ group:vk:read_set:f:allow,\ group:vk:read_set:d:allow \ And some include all negative permissions, like this: group:sa:full_set:f:allow,\ group:sa:full_set:d:allow,\ group:sa::f:deny,\ group:sa::d:deny,\ group:vk:read_set:f:allow,\ group:vk:read_set:d:allow,\ group:vk:wxpdDAWCos:f:deny,\ group:vk:wxpdDAWCos:d:deny,\ everyone@::f:allow,\ everyone@::d:allow,\ everyone@:full_set:f:deny,\ everyone@:full_set:d:deny \ - Which, I admit, looks more tidy and thoroughly done, but is it practical? ___ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss ___ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
Re: [zfs-discuss] Best practice for setting ACL
Hi-- I need to collect some more info: 1. What Solaris release is this? 2. Send me the output of this command on the file system below: # zfs get aclmode,aclinherit pool/dataset 3. What copy command are you using to copy testfile? In addition, are you using any options. Thanks, Cindy On 01/28/10 14:37, CD wrote: Hey, thanks for replying! I've been accessing my server with samba, but now that I'm switching over to nfs, I can't seem to get the ACL right.. Basically, moving and overwriting files seems to work fine. But if I copy a file - either from an external source or internally on the server - the permissions get messed up. Either I lose permission to write to the file, or I lose all permissions.. My access hierarchy: 1. Master group with full access to all files on server 2. Master group with only read access to all files on server 3. Local group with rw access to only this filesystem 4. Local group with read access to only this filesystem 5. Deny everyone else The template used on the filesystem: group:su:full_set:f:allow,\ group:su:full_set:d:allow,\ group:su::f:deny,\ group:su::d:deny,\ group:vu:read_set:f:allow,\ group:vu:read_set:d:allow,\ group:vu:wxpdDAWCos:f:deny,\ group:vu:wxpdDAWCos:d:deny,\ group:isorw:full_set:f:allow,\ group:isorw:full_set:d:allow,\ group:isorw::f:deny,\ group:isorw::d:deny,\ group:isor:read_set:f:allow,\ group:isor:read_set:d:allow,\ group:isor:wxpdDAWCos:f:deny,\ group:isor:wxpdDAWCos:d:deny,\ everyone@::f:allow,\ everyone@::d:allow,\ everyone@:full_set:f:deny,\ everyone@:full_set:d:deny \ If I make a new file on the server, the permissions looks fine, and I get full access: --+ 1 1000 workers0 Jan 28 20:35 testfile group:su:rwxpdDaARWcCos:--I:allow group:su:--:--I:deny group:vu:r-a-R-c---:--I:allow group:vu:-wxpdD-A-W-Cos:--I:deny group:isorw:rwxpdDaARWcCos:--I:allow group:isorw:--:--I:deny group:isor:r-a-R-c---:--I:allow group:isor:-wxpdD-A-W-Cos:--I:deny everyone@:--:--I:allow everyone@:rwxpdDaARWcCos:--I:deny If I make a copy of the file, however, it gets messy: --+ 1 1000 workers0 Aug 29 2022 testfile_copy group:su:rwxp--:---:deny group:su:rwxpdDaARWcCos:--I:allow group:su:--:--I:deny group:vu:r-:---:deny group:vu:r-a-R-c---:--I:allow group:vu:-wxpdD-A-W-Cos:--I:deny group:isorw:rwxp--:---:deny group:isorw:rwxpdDaARWcCos:--I:allow group:isorw:--:--I:deny group:isor:r-:---:deny group:isor:r-a-R-c---:--I:allow group:isor:-wxpdD-A-W-Cos:--I:deny everyone@:--:--I:allow everyone@:dDaARWcCos:--I:deny owner@:rwxp--:---:deny owner@:---A-W-Co-:---:allow group@:rwxp--:---:deny group@:--:---:allow everyone@:rwxp---A-W-Co-:---:deny everyone@:--a-R-c--s:---:allow Why does the extra entries get added? The extra entry at the top, seem to block me from accessing the file. On 01/25/2010 09:18 PM, Cindy Swearingen wrote: Hi CD, Practical in what kind of environment? What are your goals? Do you want the ACL deny entries to be inherited? Do you plan to use CIFS to access these files + ACLs from systems running Windows? Thanks, Cindy On 01/25/10 07:21, CD wrote: Hello forum. I'm in the process of re-organizing my server and ACL-settings. I've seen so many different ways of doing ACL, which makes me wonder how I should do it myself. This is obviously the easiest way, only describing the positive permissions: /usr/bin/chmod -R A=\ group:sa:full_set:fd:allow,\ group:vk:read_set:fd:allow \ However, I've seen people split each line, so you getone for each inheritance-setting: group:sa:full_set:f:allow,\ group:sa:full_set:d:allow,\ group:vk:read_set:f:allow,\ group:vk:read_set:d:allow \ And some include all negative permissions, like this: group:sa:full_set:f:allow,\ group:sa:full_set:d:allow,\ group:sa::f:deny,\ group:sa::d:deny,\ group:vk:read_set:f:allow,\ group:vk:read_set:d:allow,\ group:vk:wxpdDAWCos:f:deny,\ group:vk:wxpdDAWCos:d:deny,\ everyone@::f:allow,\ everyone@::d:allow,\ everyone@:full_set:f:deny,\ everyone@:full_set:d:deny \ - Which, I admit, looks more tidy and thoroughly done, but is it practical? ___ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss ___ zfs-discuss mailing list zfs-discuss@opensolaris.org
Re: [zfs-discuss] Best practice for setting ACL
I don't have a lot of time to help here, but this post of mine might possibly help with ACLs: http://breden.org.uk/2009/05/10/home-fileserver-zfs-file-systems/ Cheers, Simon -- This message posted from opensolaris.org ___ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
[zfs-discuss] Best practice for setting ACL
Hello forum. I'm in the process of re-organizing my server and ACL-settings. I've seen so many different ways of doing ACL, which makes me wonder how I should do it myself. This is obviously the easiest way, only describing the positive permissions: /usr/bin/chmod -R A=\ group:sa:full_set:fd:allow,\ group:vk:read_set:fd:allow \ However, I've seen people split each line, so you getone for each inheritance-setting: group:sa:full_set:f:allow,\ group:sa:full_set:d:allow,\ group:vk:read_set:f:allow,\ group:vk:read_set:d:allow \ And some include all negative permissions, like this: group:sa:full_set:f:allow,\ group:sa:full_set:d:allow,\ group:sa::f:deny,\ group:sa::d:deny,\ group:vk:read_set:f:allow,\ group:vk:read_set:d:allow,\ group:vk:wxpdDAWCos:f:deny,\ group:vk:wxpdDAWCos:d:deny,\ everyone@::f:allow,\ everyone@::d:allow,\ everyone@:full_set:f:deny,\ everyone@:full_set:d:deny \ - Which, I admit, looks more tidy and thoroughly done, but is it practical? ___ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
