Re: [zfs-discuss] a single nfs file system shared out twice with different permissions
On 20/12/2010 19:26, Geoff Nordli wrote: I guess he has some application he can imprison into a specific read-only subdirectory, while some other application should be able to read/write or something like that, using the same username, on the same machine. It is the same application, but for some functions it needs to use read-only access or it will modify the files when I don't want it to. An other alterntative is if the application is running on Solaris then you can run it with the basic file_write privilege removed. This basic privilege was added for exactly this type of use case. $ ppriv -e -s EPIL=basic,!file_write myapp If it is being started by an SMF service you can remove file_write in the method_credential section - see smf_method(5). -- Darren J Moffat ___ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
Re: [zfs-discuss] a single nfs file system shared out twice with different permissions
>From: Darren J Moffat >Sent: Monday, December 20, 2010 4:15 AM >Subject: Re: [zfs-discuss] a single nfs file system shared out twice with different >permissions > >On 18/12/2010 07:09, Geoff Nordli wrote: >> I am trying to configure a system where I have two different NFS >> shares which point to the same directory. The idea is if you come in >> via one path, you will have read-only access and can't delete any >> files, if you come in the 2nd path, then you will have read/write access. > >That sounds very similar to what you would do with Trusted Extensions. >The read/write label would be a higher classification than the read-only one - >since you can read down, can't see higher and need to be equal to modify. > >For more information on Trusted Extensions start with these resources: > > >Oracle Solaris 11 Express Trusted Extensions Collection > > http://docs.sun.com/app/docs/coll/2580.1?l=en > >OpenSolaris Security Community pages on TX: > >http://hub.opensolaris.org/bin/view/Community+Group+security/tx > Darren, thanks for the suggestion. I think I am going to go back to using CIFS. It seems to be quite a bit simpler than what I am looking at with NFS. Have a great day! Geoff ___ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
Re: [zfs-discuss] a single nfs file system shared out twice with different permissions
>From: Richard Elling >Sent: Monday, December 20, 2010 8:14 PM >Subject: Re: [zfs-discuss] a single nfs file system shared out twice with different >permissions > >On Dec 20, 2010, at 11:26 AM, "Geoff Nordli" wrote: > >>> From: Edward Ned Harvey >>> Sent: Monday, December 20, 2010 9:25 AM >>> Subject: RE: [zfs-discuss] a single nfs file system shared out twice >>> with >> different >>> permissions >>> >>>> From: Richard Elling >>>> >>>>> zfs create tank/snapshots >>>>> zfs set sharenfs=on tank/snapshots >>>> >>>> "on" by default sets the NFS share parameters to: "rw" >>>> You can set specific NFS share parameters by using a string that >>>> contains the parameters. For example, >>>> >>>>zfs set sharenfs=rw=192.168.12.13,ro=192.168.12.14 my/file/system >>>> >>>> sets readonly access for host 192.168.12.14 and read/write access >>>> for 192.168.12.13. >>> >>> Yeah, but for some reason, the OP didn't want to make it readonly for >> different >>> clients ... He wanted a single client to have it mounted twice on two >> different >>> directories, one with readonly, and the other with read-write. > >Is someone suggesting my solution won't work? Or are they just not up to the >challenge? :-) > It won't work :) The challenge is exporting two shares from the same folder. Linux has a "bind" command which will make this work, but from what I can see there isn't an equivalent on OpenSolaris. This isn't a big deal though; I can make it work using CIFS. It isn't something that has to be NFS, but I thought I would ask to see if there was a simple solution I was missing. >>> I guess he has some application he can imprison into a specific >>> read-only subdirectory, while some other application should be able >>> to read/write or something like that, using the same username, on the same >machine. >> >> It is the same application, but for some functions it needs to use >> read-only access or it will modify the files when I don't want it to. > >Sounds like a simple dtrace script should do the trick, too. Unfortunately, there isn't anything I can do about the application, and it really isn't a big deal. There is a pretty straight forward workaround. Have a great day! Geoff ___ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
Re: [zfs-discuss] a single nfs file system shared out twice with different permissions
On Dec 20, 2010, at 11:26 AM, "Geoff Nordli" wrote: >> From: Edward Ned Harvey >> Sent: Monday, December 20, 2010 9:25 AM >> Subject: RE: [zfs-discuss] a single nfs file system shared out twice with > different >> permissions >> >>> From: Richard Elling >>> >>>> zfs create tank/snapshots >>>> zfs set sharenfs=on tank/snapshots >>> >>> "on" by default sets the NFS share parameters to: "rw" >>> You can set specific NFS share parameters by using a string that >>> contains the parameters. For example, >>> >>>zfs set sharenfs=rw=192.168.12.13,ro=192.168.12.14 my/file/system >>> >>> sets readonly access for host 192.168.12.14 and read/write access for >>> 192.168.12.13. >> >> Yeah, but for some reason, the OP didn't want to make it readonly for > different >> clients ... He wanted a single client to have it mounted twice on two > different >> directories, one with readonly, and the other with read-write. Is someone suggesting my solution won't work? Or are they just not up to the challenge? :-) >> I guess he has some application he can imprison into a specific read-only >> subdirectory, while some other application should be able to read/write or >> something like that, using the same username, on the same machine. > > It is the same application, but for some functions it needs to use read-only > access or it will modify the files when I don't want it to. Sounds like a simple dtrace script should do the trick, too. -- richard ___ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
Re: [zfs-discuss] a single nfs file system shared out twice with different permissions
>From: Edward Ned Harvey >Sent: Monday, December 20, 2010 9:25 AM >Subject: RE: [zfs-discuss] a single nfs file system shared out twice with different >permissions > >> From: Richard Elling >> >> > zfs create tank/snapshots >> > zfs set sharenfs=on tank/snapshots >> >> "on" by default sets the NFS share parameters to: "rw" >> You can set specific NFS share parameters by using a string that >> contains the parameters. For example, >> >> zfs set sharenfs=rw=192.168.12.13,ro=192.168.12.14 my/file/system >> >> sets readonly access for host 192.168.12.14 and read/write access for >> 192.168.12.13. > >Yeah, but for some reason, the OP didn't want to make it readonly for different >clients ... He wanted a single client to have it mounted twice on two different >directories, one with readonly, and the other with read-write. > >I guess he has some application he can imprison into a specific read-only >subdirectory, while some other application should be able to read/write or >something like that, using the same username, on the same machine. It is the same application, but for some functions it needs to use read-only access or it will modify the files when I don't want it to. Have a great day! Geoff ___ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
Re: [zfs-discuss] a single nfs file system shared out twice with different permissions
> From: zfs-discuss-boun...@opensolaris.org [mailto:zfs-discuss- > boun...@opensolaris.org] On Behalf Of Richard Elling > > > zfs create tank/snapshots > > zfs set sharenfs=on tank/snapshots > > "on" by default sets the NFS share parameters to: "rw" > You can set specific NFS share parameters by using a string that > contains the parameters. For example, > > zfs set sharenfs=rw=192.168.12.13,ro=192.168.12.14 my/file/system > > sets readonly access for host 192.168.12.14 and read/write access > for 192.168.12.13. Yeah, but for some reason, the OP didn't want to make it readonly for different clients ... He wanted a single client to have it mounted twice on two different directories, one with readonly, and the other with read-write. I guess he has some application he can imprison into a specific read-only subdirectory, while some other application should be able to read/write or something like that, using the same username, on the same machine. ___ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
Re: [zfs-discuss] a single nfs file system shared out twice with different permissions
On 18/12/2010 07:09, Geoff Nordli wrote: I am trying to configure a system where I have two different NFS shares which point to the same directory. The idea is if you come in via one path, you will have read-only access and can't delete any files, if you come in the 2nd path, then you will have read/write access. That sounds very similar to what you would do with Trusted Extensions. The read/write label would be a higher classification than the read-only one - since you can read down, can't see higher and need to be equal to modify. For more information on Trusted Extensions start with these resources: Oracle Solaris 11 Express Trusted Extensions Collection http://docs.sun.com/app/docs/coll/2580.1?l=en OpenSolaris Security Community pages on TX: http://hub.opensolaris.org/bin/view/Community+Group+security/tx -- Darren J Moffat ___ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
Re: [zfs-discuss] a single nfs file system shared out twice with different permissions
On Dec 17, 2010, at 11:09 PM, Geoff Nordli wrote: > I am trying to configure a system where I have two different NFS shares > which point to the same directory. The idea is if you come in via one path, > you will have read-only access and can't delete any files, if you come in > the 2nd path, then you will have read/write access. > > For example, create the read/write nfs share: > > zfs create tank/snapshots > zfs set sharenfs=on tank/snapshots "on" by default sets the NFS share parameters to: "rw" You can set specific NFS share parameters by using a string that contains the parameters. For example, zfs set sharenfs=rw=192.168.12.13,ro=192.168.12.14 my/file/system sets readonly access for host 192.168.12.14 and read/write access for 192.168.12.13. For more info see the man page for share_nfs(1m) -- richard > > r...@grok-zfs1:/# sharemgr show -vp > default nfs=() > zfs >zfs/tank/snapshots nfs=() > /tank/snapshots > > > I have had some luck doing it with Samba. > > Any pointers to making it work with NFS? > > Thanks, > > Geoff > > > > > > ___ > zfs-discuss mailing list > zfs-discuss@opensolaris.org > http://mail.opensolaris.org/mailman/listinfo/zfs-discuss ___ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
Re: [zfs-discuss] a single nfs file system shared out twice with different permissions
>-Original Message- >From: Edward Ned Harvey >[mailto:opensolarisisdeadlongliveopensola...@nedharvey.com] >Sent: Saturday, December 18, 2010 6:13 AM >To: 'Geoff Nordli'; zfs-discuss@opensolaris.org >Subject: RE: [zfs-discuss] a single nfs file system shared out twice with different >permissions > >> From: zfs-discuss-boun...@opensolaris.org [mailto:zfs-discuss- >> boun...@opensolaris.org] On Behalf Of Geoff Nordli >> >> I am trying to configure a system where I have two different NFS >> shares which point to the same directory. The idea is if you come in >> via one >path, >> you will have read-only access and can't delete any files, if you come >> in the 2nd path, then you will have read/write access. > >I think you can do this client-side. > >mkdir /foo1 >mkdir /foo2 >mount nfsserver:/exports/bar /foo1 >mount -o ro nfsserver:/exports/bar /foo2 Thanks Edward. The client side solution works great. Happy holidays!! Geoff ___ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
Re: [zfs-discuss] a single nfs file system shared out twice with different permissions
> From: zfs-discuss-boun...@opensolaris.org [mailto:zfs-discuss- > boun...@opensolaris.org] On Behalf Of Geoff Nordli > > I am trying to configure a system where I have two different NFS shares > which point to the same directory. The idea is if you come in via one path, > you will have read-only access and can't delete any files, if you come in > the 2nd path, then you will have read/write access. I think you can do this client-side. mkdir /foo1 mkdir /foo2 mount nfsserver:/exports/bar /foo1 mount -o ro nfsserver:/exports/bar /foo2 ___ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
[zfs-discuss] a single nfs file system shared out twice with different permissions
I am trying to configure a system where I have two different NFS shares which point to the same directory. The idea is if you come in via one path, you will have read-only access and can't delete any files, if you come in the 2nd path, then you will have read/write access. For example, create the read/write nfs share: zfs create tank/snapshots zfs set sharenfs=on tank/snapshots r...@grok-zfs1:/# sharemgr show -vp default nfs=() zfs zfs/tank/snapshots nfs=() /tank/snapshots I have had some luck doing it with Samba. Any pointers to making it work with NFS? Thanks, Geoff ___ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss