Re: multiple ACEs with the same ACL qualifier
Wiadomość napisana przez Harald Schmalzbauer w dniu 8 lut 2013, o godz. 17:54: > Hello, > > I'd like to duplicate the following ACL: > # file: /data/shared/ > # owner: harry > # group: harry > group:1stgroup:r-x---a-R-c--s:fd:allow > group:2ndgroup:rwxp--a-R-c--s:-d:allow > group:2ndgroup:D-:-d:deny > group:2ndgroup:r-a-R-c--s:f-i---:allow >owner@:rwxpDdaARWcCos:fd:allow >group@:r-xp--a-R-c--s:fd:allow > everyone@:--:fd:allow > > So there are two "group:2ndgroup:::allow" entries. > While it's annoying that I can't modify one specific of these with "-m" > (both get altered without warning/confirmation reques), I also can't use > "-M" to apply it read from file. > > Are there any workarrounds? Please use "-a" and "-x" instead. The "-m" was fine for POSIX.1e ACLs, where you never have more than one entry per principal and the ordering doesn't matter. -- If you cut off my head, what would I say? Me and my head, or me and my body? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
multiple ACEs with the same ACL qualifier
Hello, I'd like to duplicate the following ACL: # file: /data/shared/ # owner: harry # group: harry group:1stgroup:r-x---a-R-c--s:fd:allow group:2ndgroup:rwxp--a-R-c--s:-d:allow group:2ndgroup:D-:-d:deny group:2ndgroup:r-a-R-c--s:f-i---:allow owner@:rwxpDdaARWcCos:fd:allow group@:r-xp--a-R-c--s:fd:allow everyone@:--:fd:allow So there are two "group:2ndgroup:::allow" entries. While it's annoying that I can't modify one specific of these with "-m" (both get altered without warning/confirmation reques), I also can't use "-M" to apply it read from file. Are there any workarrounds? Intention is to make sure newly created files can only be deleted/altered by owner, while two other groups need to access files and directories read-only, but one of them also needs write access. But must'nt delete foreign files/directories. Never had so many problems applying real-world needs... Done such setup hundred times without effort, but on other FS... Thanks, -Harry signature.asc Description: OpenPGP digital signature
RE: NFSv4 ACL permissions setting
> >>> #!/bin/sh > >>> # run this script where you wish to effect the changes > >>> # reset perms to default > >>> find . -type d -print0 | xargs -0 setfacl -b * > >> > >> Why the asterisk? Also, using "-m" with NFSv4 ACLs is not a very good > >> idea - it's supposed to work, but with NFSv4 ACLs the ordering does > >> matter, > >> and "-m" simply modifies the ACL entry in place, while the effect of > the > >> entry might depend e.g. on "deny" entries before it. Use "-a" instead. > >> > > > > Forgive me- I am not particularly strong when it comes to shell > scripting. I will modify so that the -a parameter is used instead of -m > when setting new entries. > > Ok. It's simply a matter of replacing '-m' with '-a0'. > I did not realize that one could add a numeral to the "-a" parameter to indicate the desired order. I just did a 'man setfacl' and indeed it is described as such. Good to know! Is there a preferred way of ordering? I.e. owner@ at line 0 followed by group@ at line 1 followed by everyone@ at line 2 then followed by the two groups described in my original mail (e.g. dsp-production & dsp-marketing)? Or is that totally dependent on how I want to structure the permissions so that the desired effect is achieved? For example like this: dougs@dorado:/data# getfacl ADS-New/ # file: ADS-New/ # owner: root # group: DSP-production group:DSP-production:rwxpDdaARWcCos:fd:allow group:DSP-marketing:rwxpDdaARWcCos:fd:allow owner@:rwxpDdaARWcCos:fd:allow group@:rwxpDdaARWcCos:fd:allow everyone@:--a-R-c--s:--:allow dougs@dorado:/data# where anyone who is a member of the dsp-production group will ALWAYS have full_set permissions simply because that is indicated at line 0 and thus meets the test of line 0? Processing stops at line 0 as long as the user is a member of that group, right? Does a user who does not belong to any of the groups indicated above and isn't an owner have the ability to modify the directory? I assume that would be the everyone@ group... > Btw, the bug in setfacl(1) command has been fixed in HEAD and will > be merged into STABLE in a month from now. What exactly was the bug? Did I uncover it inadvertently? > > What would you use in place of the asterisk when you want to apply the > "setfacl -b" command to either all files or all directories? The period? > > Directories: > > find . -type d -print0 | xargs -0 setfacl -b > > Files: > > find . -type f -print0 | xargs -0 setfacl -b > > The whole point of xargs here is to take the list of files it gets from > find > and turn it into a series of arguments for setfacl. So, in the example > above, > the actual invocation of setfacl would read "setfacl -b first-file second- > file" > etc. With the asterisk, it would be "setfacl -b * first-file second- > file"; > this means setfacl would modify not only the files passed by find, but > also > all the files in the current directory. Ah, interesting. I'm going to test the changes to the scripts. Thanks for the feedback. ~Doug ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: NFSv4 ACL permissions setting
On Thu, 6 Sep 2012 01:20:38 +0200, Edward Tomasz Napierała wrote: > Wiadomość napisana przez Doug Sampson w dniu 6 wrz 2012, o godz. 01:13: > >> Wiadomość napisana przez Doug Sampson w dniu 31 sie 2012, o godz. 01:42: > >> > >> [..] > >> > >>> group:DSP-production:rwxpDdaARWcCos:fd:allow <<<<< > >> - > >>> group:DSP-production:rwxpDdaARWcCos:fd:allow <<<<< > >> - > >> > >> This itself looks like a bug in setfacl(1). I'll look into it. > >> However... > >> > >> [..] > >> > >>> #!/bin/sh > >>> # run this script where you wish to effect the changes > >>> # reset perms to default > >>> find . -type d -print0 | xargs -0 setfacl -b * > >> > >> Why the asterisk? Also, using "-m" with NFSv4 ACLs is not a very good > >> idea - it's supposed to work, but with NFSv4 ACLs the ordering does > >> matter, > >> and "-m" simply modifies the ACL entry in place, while the effect of the > >> entry might depend e.g. on "deny" entries before it. Use "-a" instead. > >> > > > > Forgive me- I am not particularly strong when it comes to shell scripting. > > I will modify so that the -a parameter is used instead of -m when setting > > new entries. > > Ok. It's simply a matter of replacing '-m' with '-a0'. > > Btw, the bug in setfacl(1) command has been fixed in HEAD and will > be merged into STABLE in a month from now. > > > What would you use in place of the asterisk when you want to apply the > > "setfacl -b" command to either all files or all directories? The period? > > Directories: > > find . -type d -print0 | xargs -0 setfacl -b > > Files: > > find . -type f -print0 | xargs -0 setfacl -b > > The whole point of xargs here is to take the list of files it gets from find > and turn it into a series of arguments for setfacl. So, in the example above, > the actual invocation of setfacl would read "setfacl -b first-file > second-file" > etc. With the asterisk, it would be "setfacl -b * first-file second-file"; > this means setfacl would modify not only the files passed by find, but also > all the files in the current directory. Note that the parameter lists constructed by xargs and passed to setfacl might grow quite long and possibly exceed the respective buffer. In that case, you could modify the command to process one result at a time: # find . -type f -exec /bin/setfacl -b {} \; for all files, and # find . -type d -exec /bin/setfacl -b {} \; for all directories. Not tested. :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: NFSv4 ACL permissions setting
Wiadomość napisana przez Doug Sampson w dniu 6 wrz 2012, o godz. 01:13: >> Wiadomość napisana przez Doug Sampson w dniu 31 sie 2012, o godz. 01:42: >> >> [..] >> >>> group:DSP-production:rwxpDdaARWcCos:fd:allow <<<<< >> - >>> group:DSP-production:rwxpDdaARWcCos:fd:allow <<<<< >> - >> >> This itself looks like a bug in setfacl(1). I'll look into it. >> However... >> >> [..] >> >>> #!/bin/sh >>> # run this script where you wish to effect the changes >>> # reset perms to default >>> find . -type d -print0 | xargs -0 setfacl -b * >> >> Why the asterisk? Also, using "-m" with NFSv4 ACLs is not a very good >> idea - it's supposed to work, but with NFSv4 ACLs the ordering does >> matter, >> and "-m" simply modifies the ACL entry in place, while the effect of the >> entry might depend e.g. on "deny" entries before it. Use "-a" instead. >> > > Forgive me- I am not particularly strong when it comes to shell scripting. I > will modify so that the -a parameter is used instead of -m when setting new > entries. Ok. It's simply a matter of replacing '-m' with '-a0'. Btw, the bug in setfacl(1) command has been fixed in HEAD and will be merged into STABLE in a month from now. > What would you use in place of the asterisk when you want to apply the > "setfacl -b" command to either all files or all directories? The period? Directories: find . -type d -print0 | xargs -0 setfacl -b Files: find . -type f -print0 | xargs -0 setfacl -b The whole point of xargs here is to take the list of files it gets from find and turn it into a series of arguments for setfacl. So, in the example above, the actual invocation of setfacl would read "setfacl -b first-file second-file" etc. With the asterisk, it would be "setfacl -b * first-file second-file"; this means setfacl would modify not only the files passed by find, but also all the files in the current directory. -- If you cut off my head, what would I say? Me and my head, or me and my body? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: NFSv4 ACL permissions setting
> Wiadomość napisana przez Doug Sampson w dniu 31 sie 2012, o godz. 01:42: > > [..] > > > group:DSP-production:rwxpDdaARWcCos:fd:allow <<<<< > - > > group:DSP-production:rwxpDdaARWcCos:fd:allow <<<<< > - > > This itself looks like a bug in setfacl(1). I'll look into it. > However... > > [..] > > > #!/bin/sh > > # run this script where you wish to effect the changes > > # reset perms to default > > find . -type d -print0 | xargs -0 setfacl -b * > > Why the asterisk? Also, using "-m" with NFSv4 ACLs is not a very good > idea - it's supposed to work, but with NFSv4 ACLs the ordering does > matter, > and "-m" simply modifies the ACL entry in place, while the effect of the > entry might depend e.g. on "deny" entries before it. Use "-a" instead. > Forgive me- I am not particularly strong when it comes to shell scripting. I will modify so that the -a parameter is used instead of -m when setting new entries. What would you use in place of the asterisk when you want to apply the "setfacl -b" command to either all files or all directories? The period? ~Doug ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: NFSv4 ACL permissions setting
Wiadomość napisana przez Doug Sampson w dniu 31 sie 2012, o godz. 01:42: [..] > group:DSP-production:rwxpDdaARWcCos:fd:allow <<<<<- > group:DSP-production:rwxpDdaARWcCos:fd:allow <<<<<- This itself looks like a bug in setfacl(1). I'll look into it. However... [..] > #!/bin/sh > # run this script where you wish to effect the changes > # reset perms to default > find . -type d -print0 | xargs -0 setfacl -b * Why the asterisk? Also, using "-m" with NFSv4 ACLs is not a very good idea - it's supposed to work, but with NFSv4 ACLs the ordering does matter, and "-m" simply modifies the ACL entry in place, while the effect of the entry might depend e.g. on "deny" entries before it. Use "-a" instead. -- If you cut off my head, what would I say? Me and my head, or me and my body? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
NFSv4 ACL permissions setting
Hello all- I've set up ZFS on a FreeBSD 9.0 64-bit server recently. One of the things I've had to learn relates to NFSv4 ACLs. I've developed two scripts to reset permissions- one for files and the other for folders. I've run into an issue with executing a script to set permissions on a bunch of folders. The root filesystem is /data. There are a bunch of subfolders followed by more subfolders. Allow me to demonstrate as follows: dougs@dorado:/# getfacl ./data # file: ./data # owner: root # group: DSP-production group:DSP-production:rwxpDdaARWcCos:fd:allow group:DSP-marketing:rwxpDdaARWcCos:fd:allow owner@:rwxpDdaARWcCos:fd:allow group@:rwxpDdaARWcCos:fd:allow everyone@:r-x---a-R-c--s:--:allow dougs@dorado:/# cd data dougs@dorado:/data# ll total 45 drwxrwx---+ 5 root DSP-production 5 Aug 28 10:27 ADS-New drwxrwx---+ 60 root DSP-production 118 Aug 27 14:17 ADS-OLD [ .. snip .. ] drwxrwx---+ 12 root DSP-production12 Aug 27 14:16 WorkinProgress dougs@dorado:/data# getfacl ./ADS-New/ # file: ./ADS-New/ # owner: root # group: DSP-production group:DSP-production:rwxpDdaARWcCos:fd:allow group:DSP-marketing:rwxpDdaARWcCos:fd:allow owner@:rwxpDdaARWcCos:fd:allow group@:rwxpDdaARWcCos:fd:allow everyone@:--a-R-c--s:--:allow dougs@dorado:/data# cd ./ADS-New/ dougs@dorado:/data/ADS-New# ll total 9 drwxrwx---+ 5 root nobody 7 Aug 27 14:20 Artworks drwxrwx---+ 4 root nobody 4 Jul 17 12:12 ForDSP drwxrwx---+ 78 root nobody 78 Jul 23 13:17 ForMarketing dougs@dorado:/data/ADS-New# /root/bin/reset-perms-prod-mkt-dirs.sh dougs@dorado:/data/ADS-New# getfacl ./Artworks/ # file: ./Artworks/ # owner: root # group: nobody group:DSP-production:rwxpDdaARWcCos:fd:allow <- group:DSP-production:rwxpDdaARWcCos:fd:allow <- group:DSP-marketing:rwxpDdaARWcCos:fd:allow owner@:rwxpDdaARWcCos:fd:allow group@:rwxpDdaARWcCos:fd:allow everyone@:--a-R-c--s:--:allow dougs@dorado:/data/ADS-New# cd Artworks/ dougs@dorado:/data/ADS-New/Artworks# ll total 4234 drwxrwx---+ 2 root nobody2 Jul 17 12:08 Ask JoeS drwxrwx---+ 2 root nobody 10 Jul 17 12:12 Cool - AD d-w-rwx---+ 2 DSP-alfredo nobody2 Aug 27 14:20 Jaye Additional Art -rwxrwx---+ 1 root DSP-production 3770445 Mar 11 2010 comingsoonIntNepal.pdf -rwxrwx---+ 1 root DSP-production 415338 Mar 11 2010 previewcopy.pdf dougs@dorado:/data/ADS-New/Artworks# cd Ask\ JoeS/ dougs@dorado:/data/ADS-New/Artworks/Ask JoeS# cd .. dougs@dorado:/data/ADS-New/Artworks# getfacl Ask\ JoeS/ # file: Ask JoeS/ # owner: root # group: nobody group:DSP-production:rwxpDdaARWcCos:fd:allow <- group:DSP-marketing:rwxpDdaARWcCos:fd:allow owner@:rwxpDdaARWcCos:fd:allow group@:rwxpDdaARWcCos:fd:allow everyone@:--a-R-c--s:--:allow dougs@dorado:/data/ADS-New/Artworks# As you can see, the ADS-New folder where I executed the script shows duplicate entries of the DSP-production group whereas the "Ask Joe" subfolder underneath the ADS-New folder shows only one DSP-production group. If I run this script on the ADS-OLD folder, I see the same effect- only the first level of subfolders get duplicate DSP-production entries while the rest of the subfolders only contain one entry of the DSP-production group. Why is this happening? The contents of the /root/bin/reset-perms-prod-mkt-dirs.sh is as follows: #!/bin/sh # run this script where you wish to effect the changes # reset perms to default find . -type d -print0 | xargs -0 setfacl -b * # apply perms to files find . -type d -print0 | xargs -0 setfacl -m group@:full_set:fd:allow * find . -type d -print0 | xargs -0 setfacl -m owner@:full_set:fd:allow * find . -type d -print0 | xargs -0 setfacl -m g:dsp-marketing:full_set:fd:allow * find . -type d -print0 | xargs -0 setfacl -m g:dsp-production:full_set:fd:allow * Um? Am I missing something? ~Doug ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: GUI for ACL
On Sat, 17 Jul 2010 18:04:56 +1000 (EST) Ian Smith articulated: > In freebsd-questions Digest, Vol 319, Issue 9, Message: 24 > On Fri, 16 Jul 2010 07:26:18 -0400 Jerry wrote: > > On Fri, 16 Jul 2010 09:17:25 +0530 > > Ashish SHUKLA articulated: > > > > > I've not used KDE since they released KDE 4, but IIRC, KDE 3.5.x used to > have > > > ACL support integrated in it[1] by default. Are you sure there isn't any > such > > > setting you probably missing during compilation in KDE 4.x ? > > > > > > References: > > > [1] http://www.flickr.com/photos/wahjava/507889368/#/ > > > > No really. You cannot add users or change individual user's permissions > > via KDE's default file browser. Obviously, I can accomplish most of > > what I want to do from the command line, abet more slowly and error > > prone. > > Does that represent a regression in KDE4 from KDE3.5.x? > > > Having read up on a few Googled items, it appears that FreeBSD has not > > matured sufficiently yet to allow full integration of ACLs. Supposedly, > > 9.x will offer better integration. > > Integration with what? KDE? > > Perhaps I googled a little harder Jerry, but thanks to Robert Watson's > TrustedBSD framework, FreeBSD has supported POSIX 1.e ACLs since 5.1 and > NFSv4 ACLs in 8-STABLE for quite a while now; they'll be in 8.1-RELEASE > for both UFS and ZFS filesystems. > > Maybe it's the predominantly Linux-centric KDE that has not yet matured > sufficiently to include support for FreeBSD ACLs? As Carmel memtioned, > the (as usual) excellent article by Dru Lavigne on using FreeBSD ACLs at > http://onlamp.com/pub/a/bsd/2005/09/22/FreeBSD_Basics.html demonstrated > using Gnome's Nautilus enhanced by the port sysutils/eiciel - in 2005. > > Among the many other useful results from googling 'FreeBSD ACLs': > > http://en.wikipedia.org/wiki/Access_control_list > http://wiki.freebsd.org/NFSv4_ACLs > http://wiki.freebsd.org/Releng/8.1TODO/ Per wiki: "support so called POSIX.1e ACLs, based on an early POSIX draft that was abandoned". My original statement is still valid, FreeBSD has still not released a stable version of its OS that fully supports the latest acl standards. -- Jerry ✌ freebsd.u...@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ It is hard to believe that a man is telling the truth when you know that you would lie if you were in his place. H. L. Mencken ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: GUI for ACL
In freebsd-questions Digest, Vol 319, Issue 9, Message: 24 On Fri, 16 Jul 2010 07:26:18 -0400 Jerry wrote: > On Fri, 16 Jul 2010 09:17:25 +0530 > Ashish SHUKLA articulated: > > > I've not used KDE since they released KDE 4, but IIRC, KDE 3.5.x used to > > have > > ACL support integrated in it[1] by default. Are you sure there isn't any > > such > > setting you probably missing during compilation in KDE 4.x ? > > > > References: > > [1] http://www.flickr.com/photos/wahjava/507889368/#/ > > No really. You cannot add users or change individual user's permissions > via KDE's default file browser. Obviously, I can accomplish most of > what I want to do from the command line, abet more slowly and error > prone. Does that represent a regression in KDE4 from KDE3.5.x? > Having read up on a few Googled items, it appears that FreeBSD has not > matured sufficiently yet to allow full integration of ACLs. Supposedly, > 9.x will offer better integration. Integration with what? KDE? Perhaps I googled a little harder Jerry, but thanks to Robert Watson's TrustedBSD framework, FreeBSD has supported POSIX 1.e ACLs since 5.1 and NFSv4 ACLs in 8-STABLE for quite a while now; they'll be in 8.1-RELEASE for both UFS and ZFS filesystems. Maybe it's the predominantly Linux-centric KDE that has not yet matured sufficiently to include support for FreeBSD ACLs? As Carmel memtioned, the (as usual) excellent article by Dru Lavigne on using FreeBSD ACLs at http://onlamp.com/pub/a/bsd/2005/09/22/FreeBSD_Basics.html demonstrated using Gnome's Nautilus enhanced by the port sysutils/eiciel - in 2005. Among the many other useful results from googling 'FreeBSD ACLs': http://en.wikipedia.org/wiki/Access_control_list http://wiki.freebsd.org/NFSv4_ACLs http://wiki.freebsd.org/Releng/8.1TODO/ cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: GUI for ACL
On Fri, 16 Jul 2010 09:17:25 +0530 Ashish SHUKLA articulated: > I've not used KDE since they released KDE 4, but IIRC, KDE 3.5.x used to have > ACL support integrated in it[1] by default. Are you sure there isn't any such > setting you probably missing during compilation in KDE 4.x ? > > References: > [1] http://www.flickr.com/photos/wahjava/507889368/#/ No really. You cannot add users or change individual user's permissions via KDE's default file browser. Obviously, I can accomplish most of what I want to do from the command line, abet more slowly and error prone. Having read up on a few Googled items, it appears that FreeBSD has not matured sufficiently yet to allow full integration of ACLs. Supposedly, 9.x will offer better integration. -- Jerry ✌ freebsd.u...@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ signature.asc Description: PGP signature
Re: GUI for ACL
Carmel writes: > I am looking for a GUI to manage ACL's. I have heard about "Eiciel"; > however, I was told it only works with 'nautilus'. I was looking for a > stand alone type of program if one was available. I am presently using > KDE for a desktop if that makes any difference. I've not used KDE since they released KDE 4, but IIRC, KDE 3.5.x used to have ACL support integrated in it[1] by default. Are you sure there isn't any such setting you probably missing during compilation in KDE 4.x ? References: [1] http://www.flickr.com/photos/wahjava/507889368/#/ HTH -- Ashish SHUKLA | GPG: F682 CDCC 39DC 0FEA E116 20B6 C746 CFA9 E74F A4B0 freebsd.org!ashish | http://people.freebsd.org/~ashish/ “Digital files cannot be made uncopyable, any more than water can be made not wet.” (Bruce Schneier, 2001-05-15) pgpNdp0amed2N.pgp Description: PGP signature
GUI for ACL
I am looking for a GUI to manage ACL's. I have heard about "Eiciel"; however, I was told it only works with 'nautilus'. I was looking for a stand alone type of program if one was available. I am presently using KDE for a desktop if that makes any difference. -- Carmel ✌ carmel...@hotmail.com |=== |=== |=== |=== | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ACL
Vasadi I. Claudiu Florin wrote: > > >> > >>Is "getfacl -d" what you are looking for? > >> > > > > > >Maybe I didn't speak corectly. I already set the ACL (yes, setfacl -d > >[...]) but when I do "getfacl file", Don't do just "getfacl file", try "getfacl -d file". -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ACL
On Thu, 02 Apr 2009 11:09:16 +0300, Vasadi I. Claudiu Florin wrote: On Thu, 02 Apr 2009 11:06:40 +0300, Victor Sudakov wrote: Is "getfacl -d" what you are looking for? Maybe I didn't speak corectly. I already set the ACL (yes, setfacl -d [...]) but when I do "getfacl file", there is no output that let's mee see the "default" entryes, like in solaris. thus, I cannot be sure it is set; but still it works, so I can't see it, but I see it's effects. bug ? Like I said before, on solaris one has something like (notice the "default" entryes): # file: muzica # owner: root # group: wheel user::rwx user:smbadmin:rwx user:ftpadmin:rwx group::--- mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::rwx default:group:wheel:rwx default:other:--- But on FreeBSD one has only (notice NO "default" entryes): # file: muzica # owner: root # group: wheel user::rwx user:smbadmin:rwx user:ftpadmin:rwx group::--- mask::rwx other::--- Still, keep in mind that althow no "default" entryes are visible, they do theyr job (child folders inherit parent folder ACL) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ACL
Vasadi I. Claudiu Florin wrote: > > Now, on FreeBSD I have no such default options, but strainglly it works. > It's good that it works, but the problem remains... how to tell, with > detailes, IF a default ACL is set to a folder, AND what's is it's values. Is "getfacl -d" what you are looking for? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
ACL
Hello guyz, I have here a little misunderstanding of something. Maybe I didn't do it corectly; anyway, it works, so that's the question. Regarding ACL's default entry. When I specify one, It doesn't apear as one would aspect. For instance, on solaris, when I set default ACL on a folder I have something like (notice the "default"): # file: muzica # owner: root # group: wheel user::rwx user:smbadmin:rwx user:ftpadmin:rwx group::--- mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::rwx default:group:wheel:rwx default:other:--- Now, on FreeBSD I have no such default options, but strainglly it works. It's good that it works, but the problem remains... how to tell, with detailes, IF a default ACL is set to a folder, AND what's is it's values. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ACL and ls: operation not supported
Svein Halvor Halvorsen wrote: > Svein Halvor Halvorsen wrote: >> I have acl support on some filesystems, and wanted to turn it on on >> /home, too. So I ran: >> >> # mount -u -o acls /home > > Ok, I'm just being an ignorant noob, who's not able to read the > documentation. I'm sorry for the noise, but for the record: > > ACLs cannot be turned on/off without a full umount/mount cycle! Now, I'm not sure of anything. I umounted /home, ran tunefs -a enable /dev/ad2s1a (the device for /home), and then mounted /home again. mount now lists "alcs" among the options for this filesystem, but I'm back with the "operation not supported" messages. Any ideas? sv. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ACL and ls: operation not supported
Svein Halvor Halvorsen wrote: > I have acl support on some filesystems, and wanted to turn it on on > /home, too. So I ran: > > # mount -u -o acls /home Ok, I'm just being an ignorant noob, who's not able to read the documentation. I'm sorry for the noise, but for the record: ACLs cannot be turned on/off without a full umount/mount cycle! Svein Halvor ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ACL and ls: operation not supported
Hi, I have acl support on some filesystems, and wanted to turn it on on /home, too. So I ran: # mount -u -o acls /home Now, just "mount" listed /home as supporting acls. But now, whenever I "ls -l" on any folder on that filesystem, I get "operation not supported". It seems other file system access works as normal, though. Svein Halvor ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
removing acl from a directory
Hi, I need to remove all the acls from a directory and its files, I've done that successfully using setfacl -bn. This dir is being used by samba but because of the way its now being used we don't need acls on it any more. The thing is every time we create a file either trough samba or from a terminal it adds the acls to the file even after I removed them all. Here is an example of whats happening total 2858 drwxrwx--- 6 user1 test 512B Mar 12 17:54 .svn/ drwxrwx--- 3 user1 test 512B Mar 12 17:54 branches/ drwxrwx--- 3 user1 test 512B Mar 12 17:54 tags/ r-+ 1 root test 0B Mar 12 18:50 test drwxrwx---+ 2 user1 test 512B Mar 12 18:51 test123/ -rwxrwx---+ 1 user1 test 0B Mar 12 18:51 test123_file* drwxrwx--- 5 user1 test 512B Mar 12 17:54 trunk/ -rw-rw 1 user1 test 2.7M Mar 12 17:43 trunk.zip Our main problem is the that if the system creates a file or folder it is just adding read permissions to the group Also as you can see the names with the + in them have been created after I removed all the acls. test was created by me from within a shell and test123 was done trough samba. What information do I need to share with you all to see if we can fix this? Best regards Reinhold ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ACL mask problems
Hello, I'm getting quite annoyed at ACLs. I don't understand why this is happening: I have a directory that gets subdirectories created by a web script, but for some reason those directories have different permissions. Here is the parent's default ACL, which as I understand it should be what subdirectories are created with: # getfacl -d private/logs/mail/2007 #file:private/logs/mail/2007 #owner:1005 #group:1005 user::rwx user:www:rwx user:rsync:rwx group::rwx mask::rwx other::--- This is the ACL of a directory created by the script: # getfacl private/logs/mail/2007/10 #file:private/logs/mail/2007/10 #owner:1005 #group:1005 user::rwx user:www:rwx# effective: r-x user:rsync:rwx # effective: r-x group::rwx # effective: r-x mask::r-x other::--- This unfortunately prevents Apache from writing it's log files. Why did the mask change? I know there's some link between the mask and group permissions, or something weird like that, but I thought group being rwx and mask rwx would cause the new mask to also be rwx...maybe other is causing the issue? That seems pretty dumb to me. I've read various pages on ACLs, including the handbook, and I haven't been able to understand this. :( Thanks, Josh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ACL/MAC for shared host
Hello there. I have apache running php-cgi via fastcgi and suexec on a shared system. Each vhost has a SuexecUserGroup set to the user/group of normal system account ( which does not have shell access ) which owns the vhost. Now. I was wondering what the best way of using MAC/ACL's to stop a uid:gid ( Suexec user/group ) from being able to run anything other than what php has to use, eg, so from php it cannot run system("ls /etc") or such like. Anyone done this before? It seems to be that not many people seem to care about php security on a shared host. Any comments at all would be appriciated. Cheers, Josh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ACL: Default and other problems
On Oct 25, 2006, at 5:33 AM, Nico -telmich- Schottelius wrote: This constraint makes the problem impossible to solve. Either you are interested in the impossible, or you aren't really looking to solve the problem using standard Unix mechanisms... Actually, I am really not looking for 'old Unix mechanism' to solve that issue, because I think ACLs are definetly made for this kind of problem. OK. I've been using ACLs on Linux for some years now and I am really wondering why simply applying the default ACLs is such a problem in fbsd. As far as I know, ACLs are considered stable in FreeBSD, aren't they? 5.3 was the earliest stable release of 5.x; the TrustedBSD project has been importing improvements and so forth since 5.3 was released. You might want to retry your tests with FreeBSD 5.5 or 6.2 and see whether things have improved since then. I am really wondering who to contact for the issues I've reported on [0]. Thanks for any hints, Nico [0]: http://home.schottelius.org/~nico/freebsd/acl/ You should probably use send-pr to file a bug report, and list your test-cases in it. If you can write a patch to improve or fix any mis- behavior by the tools dealing with ACLs, that will help... -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ACL: Default and other problems
Chuck Swiger [Tue, Oct 24, 2006 at 09:21:51AM -0700]: > [...] > >Now I am interested on how you would solve this problem with standard > >Unix-Ids without using external tools (like callin chown/chgrp/chmod > >each update). > > This constraint makes the problem impossible to solve. Either you > are interested in the impossible, or you aren't really looking to > solve the problem using standard Unix mechanisms... Actually, I am really not looking for 'old Unix mechanism' to solve that issue, because I think ACLs are definetly made for this kind of problem. I've been using ACLs on Linux for some years now and I am really wondering why simply applying the default ACLs is such a problem in fbsd. As far as I know, ACLs are considered stable in FreeBSD, aren't they? I am really wondering who to contact for the issues I've reported on [0]. Thanks for any hints, Nico [0]: http://home.schottelius.org/~nico/freebsd/acl/ -- ``...if there's one thing about Linux users, they're do-ers, not whiners.'' (A quotation of Andy Patrizio I completely agree with) signature.asc Description: Digital signature
Re: ACL: Default and other problems
On Oct 24, 2006, at 1:32 AM, Nico -telmich- Schottelius wrote: Situation: - git running on fbsd 5.3. - 4 people work on the same project - git is used over ssh (aka git+ssh://) - when new objects are created, they belong to the creating user - normal umask is 077 (we are all paranoid) We want that every newly created file and directory is modifyable by any user of the 'git' group. Have git be setgid to this git group and call umask() to 027. Or write a trivial shell-script wrapper to reset the umask, if you want to do it that way. Now I am interested on how you would solve this problem with standard Unix-Ids without using external tools (like callin chown/chgrp/chmod each update). This constraint makes the problem impossible to solve. Either you are interested in the impossible, or you aren't really looking to solve the problem using standard Unix mechanisms... -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ACL: Default and other problems
Wow, sombody even reads this thread! Wojciech Puchar [Mon, Oct 23, 2006 at 07:43:47PM +0200]: > >>posted a question about ACLs because I'm having difficulties setting up > >>default ACLs. My question was posted 11/10 but I haven't got an answer > >>yet. > > > >Looks like noone is really using ACLs (and default ACLs) on fbsd. > > classic unix uid/gid is simplest and enough for MOST (or every - i think) > cases. it just needs to be used right Situation: - git running on fbsd 5.3. - 4 people work on the same project - git is used over ssh (aka git+ssh://) - when new objects are created, they belong to the creating user - normal umask is 077 (we are all paranoid) We want that every newly created file and directory is modifyable by any user of the 'git' group. Now I am interested on how you would solve this problem with standard Unix-Ids without using external tools (like callin chown/chgrp/chmod each update). Sincerly Nico -- ``...if there's one thing about Linux users, they're do-ers, not whiners.'' (A quotation of Andy Patrizio I completely agree with) signature.asc Description: Digital signature
Re: ACL: Default and other problems
Looks like noone is really using ACLs (and default ACLs) on fbsd. classic unix uid/gid is simplest and enough for MOST (or every - i think) cases. it just needs to be used right Please imagine this. We're running a web server and want each user to be able to modify/delete files created (owned) by Apache user if the file is in that particular users home directory. Maybe this is possible with just uid/gid if every new file created within this directory has the users group and the permissions 664 or even 775, how would this be done (forcing new files group identity and permissions). Thanks, -Patrik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ACL: Default and other problems
posted a question about ACLs because I'm having difficulties setting up default ACLs. My question was posted 11/10 but I haven't got an answer yet. Looks like noone is really using ACLs (and default ACLs) on fbsd. classic unix uid/gid is simplest and enough for MOST (or every - i think) cases. it just needs to be used right ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ACL: Default and other problems
Patrik Jansson [Thu, Oct 19, 2006 at 09:38:36AM +0200]: > I would also like to know if there's a in-depth ACL documentation. I > posted a question about ACLs because I'm having difficulties setting up > default ACLs. My question was posted 11/10 but I haven't got an answer > yet. Looks like noone is really using ACLs (and default ACLs) on fbsd. I am currently using some git-hooks to set the permissions on every update, but I am thinking about replacing the server with Linux using jfs or ext3 as filesystem, because those are tested and working with default ACLs. And without the need to readd the already existent permissions. Nico signature.asc Description: Digital signature
Re: ACL: Default and other problems
I experiemented with the ACls under fbsd 5.3 and got some problems with how freebsd calculates the permissions. I followed the instructions on [0]. My aim is to install default ACLs, so a group of users (with possible broken umask) can work together on git-repositories. The idea is that the default ACL will provide ACL-based rwx access for the group 'git' (minus real permissions / mask makes rw or rwx for files, rwx for directories). I've mostly problems with default ACLs and the new permissions. I put two test-scripts to [1], plus their output (*.output) and the questions I've to the results (*.question) on a website. Any pointers on what I did wrong or in depth FreeBSD-ACL documentation are appreciated. I would also like to know if there's a in-depth ACL documentation. I posted a question about ACLs because I'm having difficulties setting up default ACLs. My question was posted 11/10 but I haven't got an answer yet. Cheers, Patrik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ACL: Default and other problems
Hello! I experiemented with the ACls under fbsd 5.3 and got some problems with how freebsd calculates the permissions. I followed the instructions on [0]. My aim is to install default ACLs, so a group of users (with possible broken umask) can work together on git-repositories. The idea is that the default ACL will provide ACL-based rwx access for the group 'git' (minus real permissions / mask makes rw or rwx for files, rwx for directories). I've mostly problems with default ACLs and the new permissions. I put two test-scripts to [1], plus their output (*.output) and the questions I've to the results (*.question) on a website. Any pointers on what I did wrong or in depth FreeBSD-ACL documentation are appreciated. Sincerly Nico [0]: http://ezine.daemonnews.org/200310/acl.html [1]: http://home.schottelius.org/~nico/freebsd/acl/ signature.asc Description: Digital signature
Solved: OpenLDAP: ACL and binddn when dn contains non-ascii chars
Erik Norgaard wrote: > But what do I put in place of "cn="? > > But, what do I set as binddn? I am using the address book with > Thunderbird and I don't know if it is smart enough to convert iso chars > to utf-8. Seems to have same answer, only that in slapd.conf must be written in utf-8 while thunderbird seems to convert correctly. Now I just gotta figure out the right access controls. Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F0C.crt Subject ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 Fingerprint: 7F:80:96:EA:95:92:E2:23:1F:FA:0F:98:92:C2:CC:55:6B:9A:8C:92 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
OpenLDAP: ACL and binddn when dn contains non-ascii chars
Hi: I'm trying to build my address book, now since my own name contains non-ascii characters, my cn becomes cn:: RXJpayBOw7hyZ2FhcmQ= I wish to restrict access so that each person can edit his own details, but not search the entire directory, something like this should do: # Access Control: access to attrs=userPassword by self write by anonymous auth by * none access to * by self write by dn.base="cn=,ou=people,dc=domain,dc=tld" read by * none But what do I put in place of "cn="? 2nd: For now, I have, access to * by self write by users read by * none But, what do I set as binddn? I am using the address book with Thunderbird and I don't know if it is smart enough to convert iso chars to utf-8. Thanks, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F0C.crt Subject ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 Fingerprint: 7F:80:96:EA:95:92:E2:23:1F:FA:0F:98:92:C2:CC:55:6B:9A:8C:92 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
acl inherit and protected access control flags
Greetings People: In setting up a Samba server w/ACL support I note the following from Samba docs regarding map acl inherit: "This boolean parameter controls whether smbd(8) will attempt to map the 'inherit' and 'protected' access control entry flags stored in Windows ACLs into an extended attribute called user.SAMBA_PAI. This parameter only takes effect if Samba is being run on a platform that supports extended attributes (Linux and IRIX so far) and allows the Windows 2000 ACL editor to correctly use inheritance with the Samba POSIX ACL mapping code." >From what I garner from the FBSD man pages on ACL FreeBSD does not implement the inherit and protected flags. Can someone please confirm? Please cc as I'm not subscribed to fbsd-questions. TIA- -- Best regards, Ken Gunderson Q: Because it reverses the logical flow of conversation. A: Why is putting a reply at the top of the message frowned upon? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Samba "system error 5" even with nt acl support = no
Timothy J. Luoma skrev: "Microsoft network client: Send unencrypted password to third-party SMB servers" From smb.conf # You may wish to use password encryption. Please read # ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation. # Do not enable this option unless you have read those documents ; encrypt passwords = yes ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Samba "system error 5" even with nt acl support = no
Timothy J. Luoma skrev: SOLVED IMHO no! On the XP machine: Control Panel > Administrative Tools > Local Security Policy > Security Settings > Local Policies > Security Options Scroll to: "Microsoft network client: Send unencrypted password to third-party SMB servers" You put this in your smb.conf {global] encrypt passwords = yes ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Samba "system error 5" even with nt acl support = no
SOLVED On the XP machine: Control Panel > Administrative Tools > Local Security Policy > Security Settings > Local Policies > Security Options Scroll to: "Microsoft network client: Send unencrypted password to third-party SMB servers" Double click > Enable Reboot. You could do the same thing in regedit, but why muck with that? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Samba "system error 5" even with nt acl support = no
OK, I had Samba working, upgraded to FreeBSD 6 (from 5.4) and mgetty stopped working, so I had to reinstall FreeBSD 5.4 again. Now I can't get Samba (smbd Version 2.2.12, via pkg_add) working and I can't figure out what I did differently this time. All my hosts are 192.168.x.x My smb.conf is below. I am trying to connect to the FreeBSD machine (hostname "compaq") from a WinXP SP2 machine. I have used 'smbpasswd' to add my WinXP username. When I try to access the machine via Windows Explorer, I get "The account is not authoritzed to log in from this station" When I use 'net view \\compaq' I get "System error 5 has occurred Access is denied " Googling around I found that I should add this " nt acl support = no" which I did. Didn't help. Here is my smb.conf [global] workgroup = PRESBY nt acl support = no server string = Samba Server hosts allow = 192.168.1. 192.168.2. 127. load printers = yes log file = /var/log/log.%m max log size = 50 security = user socket options = TCP_NODELAY dns proxy = no [homes] comment = Home Directories browseable = no writeable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writeable = no printable = yes Other than that, please don't assume anything. I'm no expert on samba. I can FTP to the machine, but I would prefer Samba. Thanks for any help! TjL ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
named ACL
Hi all, Just a quick question... Will the following work for bind9: acl "myacl" { 192.168.0.0/16; }; view "internal" { match-clients { myacl; !192.168.1.1; }; }; Basically, I'm trying to include a network into my view, except one address... Thanks, Chris. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Question on odd acl/permissions.
Hey all, I'd like to make a "live" backup of a file system on a regular basis, and maintain permissions, but have such a thing be only writable by root at any given time. (i.e. I keep a backup drive unmounted, and mount it read-only when users need their data). The thing is, I have to mount it read-write in order to create the archive. Is there any way to make a file system read-only for normal users but read-write by root? This is a local filesystem. -Dan -- "It doesn't matter where I live, because I live in dataspace. That's my hometown." -Steve Roberts, Builder of BEHEMOTH Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ACL and tunefs
Adam Stroud wrote: > I did not try that. When I booted into single user more again and tried > the tunefs -a enable / I get a messaged saying that acl was already > enabled. Strange. > The only hope for you is that the enable bit for acl was set, but not yet read by the system. I think you have to reboot and then you have a change that the acl bit is set and read. Te best way is to have another freebsd system to set acl. Or to choose another slice for your acl experiment. The e-slice is easier to change, but its your choice ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ACL and tunefs
I did not try that. When I booted into single user more again and tried the tunefs -a enable / I get a messaged saying that acl was already enabled. Strange. A Kees Plonsz wrote: On Saturday 27 November 2004 22:58, Adam Stroud wrote: I dont think the acl got enabled, here is my output from mount: /dev/ad0s1a on / (ufs, NFS exported, local) I guess you are right, acl is not enabled. It is a spacial case, I think,. The a-slice gets mounted immediatly after staring up the system and you cannot umount it. You have to access it through another freebsd system, let say with the "fixit disk". Or did you already had a solution for that ? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ACL and tunefs
I dont think the acl got enabled, here is my output from mount: /dev/ad0s1a on / (ufs, NFS exported, local) Kees Plonsz wrote: Adam Stroud wrote: Kees: You were right, I did not umount the filesystem first, I dropped into single user mode and I thought that did unmount the filesystem. When I booted the machine into single the tunefs command seemed to work OK. However, I still dont get a "+" when I do a long listing of a file and the handbook says I should see one. Does this mean that things did not take? Check if your acl-option is working with "mount" ( no parameters ) It should give somthing like: /dev/ad1s1g on /mnt (ufs, local, soft-updates, acls) Then give the setfacl command on a file: setfacl -m u::rwx,g:mail:rw file Now you must have a + sign with the "ls -la" command. I got error messages when I disabled or enabled acl on a not-empty filesystem and made a directory listing. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ACL and tunefs
Adam Stroud wrote: > Kees: > > You were right, I did not umount the filesystem first, I dropped into > single user mode and I thought that did unmount the filesystem. When I > booted the machine into single the tunefs command seemed to work OK. > > However, I still dont get a "+" when I do a long listing of a file and > the handbook says I should see one. Does this mean that things did not > take? > Check if your acl-option is working with "mount" ( no parameters ) It should give somthing like: /dev/ad1s1g on /mnt (ufs, local, soft-updates, acls) Then give the setfacl command on a file: setfacl -m u::rwx,g:mail:rw file Now you must have a + sign with the "ls -la" command. I got error messages when I disabled or enabled acl on a not-empty filesystem and made a directory listing. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ACL and tunefs
Kees: You were right, I did not umount the filesystem first, I dropped into single user mode and I thought that did unmount the filesystem. When I booted the machine into single the tunefs command seemed to work OK. However, I still dont get a "+" when I do a long listing of a file and the handbook says I should see one. Does this mean that things did not take? A Kees Plonsz wrote: Adam Stroud wrote: All: I am trying to enable ACL support of my FreeBSD 5.3 box. I drop into single user mode and run the tunefs -a enable command on my partition and get the following: tuenfs: ACLs set tunefs: /dev/ad0s1a: failed to write superblock When I reboot it seems that the ACL are not set. Any ideas? You forgot to umount your filesystem first ! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ACL and tunefs
Adam Stroud wrote: > All: > > I am trying to enable ACL support of my FreeBSD 5.3 box. I drop into > single user mode and run the tunefs -a enable command on my partition > and get the following: > > tuenfs: ACLs set > tunefs: /dev/ad0s1a: failed to write superblock > > When I reboot it seems that the ACL are not set. > > Any ideas? > You forgot to umount your filesystem first ! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ACL and tunefs
Adam Stroud wrote: > All: > > I am trying to enable ACL support of my FreeBSD 5.3 box. I drop into > single user mode and run the tunefs -a enable command on my partition > and get the following: > > tuenfs: ACLs set > tunefs: /dev/ad0s1a: failed to write superblock > > When I reboot it seems that the ACL are not set. > > Any ideas? > Check if you really use UFS2 (run dumpfs and see 1 line) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ACL and tunefs
All: I am trying to enable ACL support of my FreeBSD 5.3 box. I drop into single user mode and run the tunefs -a enable command on my partition and get the following: tuenfs: ACLs set tunefs: /dev/ad0s1a: failed to write superblock When I reboot it seems that the ACL are not set. Any ideas? A ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
acl enabling
All: I am trying to enable ACL support of my FreeBSD 5.3 box. I drop into single user mode and run the tunefs -a enable command on my partition and get the following: tuenfs: ACLs set tunefs: /dev/ad0s1a: failed to write superblock When I reboot it seems that the ACL are not set. Any ideas? A ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Samba w/ ACL support and FreeBSD 4.10
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 18 Oct 2004, h0444lp6 wrote: Dear list, Compiling Samba 2.2.8a_2 on FreeBSD 4.10 I saw the option to enable ACL support for samba. But Using Samba claims: “--with-acl-support Includes support for Windows NT/2000/XP access control lists (ACLs). For this to work, you need to have POSIX ACL support in the host operating system. See Chapter 8 for details.” Is it possible to use samba w/ acl on FreeBSD 4.10? Do I have to add kernel options or so? from ${PORTSDIR}/net/samba/Makefile: .if defined(WITH_ACL_SUPPORT) .if ${OSVERSION} < 500018 BROKEN= "ACL support requires a recent FreeBSD 5.0-CURRENT" .else CONFIGURE_ARGS+= --with-acl-support .endif .endif regards Joerg - -- The beginning is the most important part of the work. -Plato -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBc67cSPOsGF+KA+MRAhuuAJ4iH3sk747eT3yDkl/1BdqmZFFOZwCguAxH 7PgQ0dkyPMuoYz1XKB96bD0= =w30C -END PGP SIGNATURE-___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Samba w/ ACL support and FreeBSD 4.10
Dear list, Compiling Samba 2.2.8a_2 on FreeBSD 4.10 I saw the option to enable ACL support for samba. But Using Samba claims: “--with-acl-support Includes support for Windows NT/2000/XP access control lists (ACLs). For this to work, you need to have POSIX ACL support in the host operating system. See Chapter 8 for details.” Is it possible to use samba w/ acl on FreeBSD 4.10? Do I have to add kernel options or so? TIA ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ACL and write permission
On Mon, Oct 04, 2004 at 11:47:52AM +0500, Sergey Velikanov [UzPAK] wrote: Date: Mon, 4 Oct 2004 11:47:52 +0500 From: "Sergey Velikanov [UzPAK]" <[EMAIL PROTECTED]> To: freebsd-questions <[EMAIL PROTECTED]> Subject: ACL and write permission Hi again I can't add write permission via ACL mkdir /dir/docs chown user:user /dir/docs setfacl -n -dm u::rwx,g::rx,o::,u:user2:rwx,m::rwx /dir/docs setfacl -m u:user2:rwx /dir/docs chmod 750 /dir/docs I create file in /dir/docs, but user2 have only read permission, That's because when new file is creating file permissions are get from directory's default ACL, and then they are mask with umask. The entries, that are mask, are u::, m:: and o::, so if you have umask 022 (which is default) file's acl mask entry is set to "r". Robert Watson has plan acl mask to override umask, but he doesn't realize that yet. getfacl says that #efective rights r--, how should i set ACL to /dir/docs if I want give write permission to user2 Sergey Velikanov Technical Division National Data Network "UzPAK" tel +(99871) 114-6326 e-mail: [EMAIL PROTECTED] http://www.uzpak.uz/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- Dancho Penev Home page: http://www.mnet.bg/~dpenev GnuGP public key:http://www.mnet.bg/~dpenev/gnupg.asc Key fingerprint: E88D 8B7B 3EF6 E9C8 C5D2 7554 2AA8 C347 71A1 4277 pgpwWIhkV3gIr.pgp Description: PGP signature
ACL and write permission
Hi again I can't add write permission via ACL mkdir /dir/docs chown user:user /dir/docs setfacl -n -dm u::rwx,g::rx,o::,u:user2:rwx,m::rwx /dir/docs setfacl -m u:user2:rwx /dir/docs chmod 750 /dir/docs I create file in /dir/docs, but user2 have only read permission, getfacl says that #efective rights r--, how should i set ACL to /dir/docs if I want give write permission to user2 Sergey Velikanov Technical Division National Data Network "UzPAK" tel +(99871) 114-6326 e-mail: [EMAIL PROTECTED] http://www.uzpak.uz/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Smarter ACL
Hi, is there a way to make ACL smarter about mkdir? When I set the default on a directory, it works fine and the files in it gets the right perms. But the subdirectories doesn't get their execution perms. So those dirs are unusable. My standard commands for user's web roots (Apache running under www:www): setfacl -d -m u::rw-,g::r--,o::---,g:www:r--,g:staff:r--,g:wheel:rw- www/ setfacl -m u::rwx,g::r-x,o::---,g:www:r-x,g:staff:r-x,g:wheel:rwx www/ setfacl -m u::rw-,g::r--,o::---,g:www:r--,g:staff:r--,g:wheel:rw- www/* setfacl -m u::rw-,g::r--,o::---,g:www:r--,g:staff:r--,g:wheel:rw- www/.ht* DrVince ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [Exim] Re: exiscan-acl-4.31-16.patch.bz2
On Fri, Apr 02, 2004 at 04:06:41PM +0200, Nico Erfurth wrote: > Ceri Davies wrote: > > >>I am trying to install the latest exim, but I can't find > >>exiscan-acl-4.31-16.patch.bz2 on any of the mirrors, anyone know where I > >>can download it from? > > > >http://submonkey.net/files/ for a limited time (a week or so). > > Why not from http://duncanthrax.net/exiscan-acl/? I don't know - I assume Wayne had tried that. Ceri -- pgp0.pgp Description: PGP signature
Re: [Exim] Re: exiscan-acl-4.31-16.patch.bz2
Ceri Davies wrote: I am trying to install the latest exim, but I can't find exiscan-acl-4.31-16.patch.bz2 on any of the mirrors, anyone know where I can download it from? http://submonkey.net/files/ for a limited time (a week or so). Why not from http://duncanthrax.net/exiscan-acl/? Nico ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: exiscan-acl-4.31-16.patch.bz2
On Thu, Apr 01, 2004 at 09:38:57PM +0200, Wayne Swart wrote: > Helo guys > > I am trying to install the latest exim, but I can't find > exiscan-acl-4.31-16.patch.bz2 on any of the mirrors, anyone know where I > can download it from? http://submonkey.net/files/ for a limited time (a week or so). Ceri -- pgp0.pgp Description: PGP signature
Re: [Exim] exiscan-acl-4.31-16.patch.bz2
On Thu, Apr 01, 2004 at 09:38:57PM +0200, Wayne Swart <[EMAIL PROTECTED]> is thought to have said: > I am trying to install the latest exim, but I can't find > exiscan-acl-4.31-16.patch.bz2 on any of the mirrors, anyone know where I > can download it from? It is not part of exim. See http://duncanthrax.net/exiscan-acl/ -- Tabor J. Wells [EMAIL PROTECTED] Fsck It! Just another victim of the ambient morality ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
exiscan-acl-4.31-16.patch.bz2
Helo guys I am trying to install the latest exim, but I can't find exiscan-acl-4.31-16.patch.bz2 on any of the mirrors, anyone know where I can download it from? Thanks Wayne In a world with no boundaries, Who Needs Gates? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ACL mask shanging group perms
On Thu, Feb 05, 2004 at 10:24:40AM -0700, Jerad Hampton wrote: > Is anyone using acls on there file sytstem? > > When I change an acl it also sets the unix g permissions the same as the mask > > orca# ll > total 4 > -rw-r-x---+ 1 root users 68 Feb 5 09:58 index.html > orca# getfacl index.html > #file:index.html > #owner:0 > #group:1000 > user::rw- > user:nobody:r-x > group::--- > mask::r-x > other::--- > orca# setfacl -m u:nobody:rwx index.html > orca# ll > total 4 > -rw-rwx---+ 1 root users 68 Feb 5 10:24 index.html > orca# getfacl index.html > #file:index.html > #owner:0 > #group:1000 > user::rw- > user:nobody:rwx > group::--- > mask::rwx > other::--- > orca# > > I don't think this is normal behavior. Any sugestions? > It's how it works on according to spec. Use -n switch to prevent recalculating the mask. You may want to read: http://ezine.daemonnews.org/200310/acl.html greg -- Grzegorz Czaplinski "The Power to Serve, Right for the Power Users!" - http://www.FreeBSD.org/ Fingerprint: EB77 E19D CFA2 5736 810F 847C A70F A275 2489 469F pgp0.pgp Description: PGP signature
ACL mask shanging group perms
Is anyone using acls on there file sytstem? When I change an acl it also sets the unix g permissions the same as the mask orca# ll total 4 -rw-r-x---+ 1 root users 68 Feb 5 09:58 index.html orca# getfacl index.html #file:index.html #owner:0 #group:1000 user::rw- user:nobody:r-x group::--- mask::r-x other::--- orca# setfacl -m u:nobody:rwx index.html orca# ll total 4 -rw-rwx---+ 1 root users 68 Feb 5 10:24 index.html orca# getfacl index.html #file:index.html #owner:0 #group:1000 user::rw- user:nobody:rwx group::--- mask::rwx other::--- orca# I don't think this is normal behavior. Any sugestions? Thanks Jerad Hampton Network Administrator The King's University College ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
UFS2 ACL problems on root (boot) partition
Trying to get ACLs to work on UFS2, and I'm having some trouble getting it to work on my root partition. Here's the symptom: # setfacl -m user:nobody:rwx /testacl setfacl: acl_get_file() failed: Operation not supported # setfacl -m user:nobody:rwx /usr/testacl # Here's some relevant information about the disks: # dumpfs / | head -n 1 magic 19540119 (UFS2) timeSun Feb 1 07:43:56 2004 # dumpfs /usr | head -n 1 magic 19540119 (UFS2) timeSun Feb 1 07:44:24 2004 # tunefs -p / tunefs: ACLs: (-a) enabled tunefs: MAC multilabel: (-l) disabled tunefs: soft updates: (-n) disabled tunefs: maximum blocks per file in a cylinder group: (-e) 2048 tunefs: average file size: (-f)16384 tunefs: average number of files in a directory: (-s) 64 tunefs: minimum percentage of free space: (-m) 8% tunefs: optimization preference: (-o) time tunefs: volume label: (-L) # tunefs -p /usr tunefs: ACLs: (-a) enabled tunefs: MAC multilabel: (-l) disabled tunefs: soft updates: (-n) enabled tunefs: maximum blocks per file in a cylinder group: (-e) 2048 tunefs: average file size: (-f)16384 tunefs: average number of files in a directory: (-s) 64 tunefs: minimum percentage of free space: (-m) 8% tunefs: optimization preference: (-o) time tunefs: volume label: (-L) # I have rebooted after enabling -a, and all commands are being run as root on files owned by root. Of course USER_ACL is enabled in Anyone have any ideas? Thanks, -Matthew Bertrand ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Default ACL entries.
On Sat, Aug 02, 2003 at 06:37:24PM +0200, Grzegorz Czaplinski wrote: Date: Sat, 2 Aug 2003 18:37:24 +0200 From: Grzegorz Czaplinski <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Default ACL entries. Hi there! Does anyone know how to set default ACL entries? Any examples how to use -d, -k, -X switches with setfacl? # setfacl -dm u::rwx,u:nobody:rwx,m::rwx,g::rx,o::rx /foo There are three required ACL entries: u::,g::,o::, that unlike files acls doesn't exist when you set default acl for first time, so don't forget to set them. (BTW I have patch for setfacl somewhere that check default acl for missing entries) # setfacl -k /foo This will remove default acl for "foo" directory. # setfacl -dX acls /foo Where "acls" file contains entries like these: u:nobody:rwx g:somegroup:rx This is all different to Solaris... ;) Thanks, gregory -- Grzegorz Czaplinski "The Power to Serve, Right for the Power Users!" - http://www.FreeBSD.org/ Fingerprint: EB77 E19D CFA2 5736 810F 847C A70F A275 2489 469F -- Dancho Penev ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Need Access Control List(ACL) or any kind of substitute for it
On Sat, Aug 02, 2003 at 08:56:05PM -0700, dt wrote: > I recently was able to find a web-hosting company that runs FreeBSD. The > service, I signed up for, allows me to have a SSH access including > series of other services, such as CGI-BIN, Tomcat. On the same machine > that my domain is hosted, there are many other accounts; it's not a > virtual hosting, where I have a root access to my machine. > > On the first day, I discovered that I had to make my files publicly > available so that Apache could pick up my scripts and run them, which I > definitely thought it was not good idea. The only security measures this > company took was that you could not 'ls' up to other people's account, > but I know that if you know the directory structure you can open > anyone's script and look into the content which could reveal a password > and the logic of their code. On top of that, locate-database has all the > directory structure, which is available to anybody. One file permission security model for shared hosting is as follows: Every untrusted user (is there any other!) is added to a common group - say 'users'. Importantly, the user that the webserver runs as - say 'www' - is NOT a member of the 'users' group. The hosting company would then make sure that group permissions on the home directory of each user - say /home/bob for user 'bob' - are set to 705 recursively. This means: - user bob has read write and execute perms on /home/bob as you would expect - anyone in the 'users' group - ie all untrusted users - do NOT have read, write or execute perms on /home/bob and so cannot get a listing of any files under /home/bob - the 'www' user however does have read and execute access to files in bob's public html directory, say /home/bob/public_html and so the webserver can serve up those files as needed. This is a very over-simplified description - there are often log directories or ftp directories or mail directories whose permissions are set to accommodate those services. CGI scripting also complicates matters. With the above model all a malicious (or otherwise) user would have to do to access files in other home directories would be to create a script to display all 'interesting' files in other user's home directories. Something as simple as: for example in PHP would be a start to working out where juicy configuration files that might contain user/password pairs live. If there are no extra httpd side precautions in place, the above security model is pretty useless, since the www user has read/execute access to all /home/user directories and so can execute an operation like the find command above with impunity. Precautions against this type of action commonly include running CGI scripts under the effective user id (EUID) of the owner of the script and in a similar way with PHP, checking that the owner/group of the target files match that of the script being run (using open_basedir and safe_mode amongst other PHP config options). Some things to check then: try running the pwd command - if you see something like /home/user/foo/bar then you're not chrooted. Also try running the id command. See what group(s) you're in and then try 'ls -ld ~' to see what the file permissions are on your home directory. It might be the case your provider is implementing something along the lines of the above. -- Jez http://www.munk.nu/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Need Access Control List(ACL) or any kind of substitute for it
in message <[EMAIL PROTECTED]>, wrote dt thusly... > > I recently was able to find a web-hosting company that runs > FreeBSD ... it's not a virtual hosting, where I have a root > access to my machine. So you are on a shared server (as opposed to single/dedicated one)... > The only security measures this company took was that you could > not 'ls' up to other people's account Could it be that you are in a jail and/or is the default umask, thus default permissions, rather restrictive (say 077, than open 022)? > I know that if you know the directory structure you can open > anyone's script and look into the content which could reveal > a password and the logic of their code. Who would store a password in the code if security is of any concern? Otherwise, what is wrong w/ otherwise public files to be available to your fellow hostmates? BTW (re-)read chmod(1) if you have not already. > On top of that, locate-database has all the directory structure, > which is available to anybody. According to locate(1) (4.8-Release), it does not create entries for files that are publicly unreadable. > So, a couple of things I tried to do, which weren't successful. I took > away permission from others by chmod 740. (OP was unable to change membership wrt 'nobody' group.) > The only solution I see is ask their admin to put nobody user to > my group. Or to have some sort of ACL, so I can explicitly grant > permission to nobody user. It seems from your actions that you think you have powers to change groups willy-nilly. And i do not think that the hosting company would do add nobody user to your group. Why? See above. I think there is something missing from my response; somebody will fill in that i am sure. - Parv -- A programmer, budding Unix system administrator, and amateur photographer seeks employment: http://www103.pair.com/parv/work/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Need Access Control List(ACL) or any kind of substitute for it
Hello, I recently was able to find a web-hosting company that runs FreeBSD. The service, I signed up for, allows me to have a SSH access including series of other services, such as CGI-BIN, Tomcat. On the same machine that my domain is hosted, there are many other accounts; it's not a virtual hosting, where I have a root access to my machine. On the first day, I discovered that I had to make my files publicly available so that Apache could pick up my scripts and run them, which I definitely thought it was not good idea. The only security measures this company took was that you could not 'ls' up to other people's account, but I know that if you know the directory structure you can open anyone's script and look into the content which could reveal a password and the logic of their code. On top of that, locate-database has all the directory structure, which is available to anybody. So, a couple of things I tried to do, which weren't successful. I took away permission from others by chmod 740. And also, to grant apache only, I tried to chown to nobody group (apache is running under this group) which I could not do because I was not part of nobody group. I tried to put nobody user under my group, I was not able to. The only solution I see is ask their admin to put nobody user to my group. Or to have some sort of ACL, so I can explicitly grant permission to nobody user. Please help. Is there any tool that allows me to overcome this obstacle? I will not reveal any information about this company, for obvious reasons, except that they're running: "FreeBSD 4.7-RELEASE". Eventually, I am planning to tell them to fix their security problem, but I need to make a research before I do this, which I'm doing by asking your expertise. Thank you, DT. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Default ACL entries.
Hi there! Does anyone know how to set default ACL entries? Any examples how to use -d, -k, -X switches with setfacl? This is all different to Solaris... ;) Thanks, gregory -- Grzegorz Czaplinski "The Power to Serve, Right for the Power Users!" - http://www.FreeBSD.org/ Fingerprint: EB77 E19D CFA2 5736 810F 847C A70F A275 2489 469F pgp0.pgp Description: PGP signature
Re: How to enable ACL support in 5.0?
On Mon, Mar 10, 2003 at 01:48:23PM +0100, Gabriel Ambuehl wrote: Date: Mon, 10 Mar 2003 13:48:23 +0100 From: Gabriel Ambuehl <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: How to enable ACL support in 5.0? Hello, I might appear stupid or not having read the manual, but whatever I try, I can't get setfacl to work (keeps failing: setfacl: acl_get_file() failed: Operation not supported). I read the manual and it says I should add acls as option to fstab which I did: /dev/ad7s1g /home ufs rw,acls 2 2 What version is this filesystem: UFS1 or UFS2 ? UFS2 has full support for acls but with UFS1 you must enable extended attributes. If you have kernel source files I'll suggest you to read /usr/src/sys/ufs/ufs/README.acls. or use tunefs to set the flag statically in the superblock but tunefs man page knows nothing at all about ACL. From tunefs man page: -a enable | disable Turn on/off the administrative ACL enable flag. So what do I need to do to get ACLs to work? Also, I was wondering when to use ugidfw (more exotic stuff, I presume) and when just basic ACLs. I think the whole ACL stuff could use some more docs, anyway. For most users, this could be the single most visible change to the system (SMPng etc are mostly under the hood so that's not as obvious to most). I'd appreciate any comments or pointers on this issue. TIA & regards, Gabriel To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message -- Regards, Dancho Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
How to enable ACL support in 5.0?
Hello, I might appear stupid or not having read the manual, but whatever I try, I can't get setfacl to work (keeps failing: setfacl: acl_get_file() failed: Operation not supported). I read the manual and it says I should add acls as option to fstab which I did: /dev/ad7s1g /home ufs rw,acls 2 2 or use tunefs to set the flag statically in the superblock but tunefs man page knows nothing at all about ACL. So what do I need to do to get ACLs to work? Also, I was wondering when to use ugidfw (more exotic stuff, I presume) and when just basic ACLs. I think the whole ACL stuff could use some more docs, anyway. For most users, this could be the single most visible change to the system (SMPng etc are mostly under the hood so that's not as obvious to most). I'd appreciate any comments or pointers on this issue. TIA & regards, Gabriel To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message