Hello all,
I want to share my experience on setting up ACL's for a Windows XP client.
The goal I had is to have a protection for the files from a 'delete by
mistake'.
While trying to achieve the goal I've noticed the following:
1. read_set is not essential for a share to be available for a Windows client.
It seems that Windows requires execute privilege on the share root.
2. With delete globally denied, the user can not create a file in Explorer
(sic!)
It looks like Explorer creates 'New Folder' and then deletes it when user gives
a meaningful name.
3. Also, as a short experience has shown, deleting is indeed needed to fix
'create/copy by mistake' files/folders.
At one moment I even thought that the goal is not reachable due to conflicting
requirements.
That's how I think I can solve it:
- allow deleting by inheritance and
- deny deleting explicitly with no inheritance
- execute the script setting ACL on a weekly basis
This makes newly created files deletable, and freezes the existing.
Here is a short script which I made to manage my shares
# Policy statements
# admin - allow full control on the shares
# media - allow read/write/delete on backup, allow read/write deny delete on
archive, install, media
# everyone - allow read
policy()
{
echo \
owner@:read_set:fd:allow,\
$1\
user:media:modify_set:fd:allow,\
user:admin:full_set:fd:allow,\
user:root:full_set:fd:allow,\
everyone@:read_set:fd:allow
}
# Backup - Allow everyone read, media & admin full permissions
# deny deleting from media, install and archive
chmod -R A=`policy user:media:dD:deny,` /tank/archive
chmod -R A=`policy user:media:dD:deny,` /tank/install
chmod -R A=`policy user:media:dD:deny,` /tank/media
# allow deleting from backup
chmod -R A=`policy` /tank/backup
# Allow shares to be accessible from Windows
chmod A+user:media:x:allow /tank/archive
chmod A+user:media:x:allow /tank/install
chmod A+user:media:x:allow /tank/media
chmod A+user:media:x:allow /tank/backup
--
This message posted from opensolaris.org
_______________________________________________
storage-discuss mailing list
storage-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/storage-discuss
