Hello all, I want to share my experience on setting up ACL's for a Windows XP client.
The goal I had is to have a protection for the files from a 'delete by mistake'. While trying to achieve the goal I've noticed the following: 1. read_set is not essential for a share to be available for a Windows client. It seems that Windows requires execute privilege on the share root. 2. With delete globally denied, the user can not create a file in Explorer (sic!) It looks like Explorer creates 'New Folder' and then deletes it when user gives a meaningful name. 3. Also, as a short experience has shown, deleting is indeed needed to fix 'create/copy by mistake' files/folders. At one moment I even thought that the goal is not reachable due to conflicting requirements. That's how I think I can solve it: - allow deleting by inheritance and - deny deleting explicitly with no inheritance - execute the script setting ACL on a weekly basis This makes newly created files deletable, and freezes the existing. Here is a short script which I made to manage my shares # Policy statements # admin - allow full control on the shares # media - allow read/write/delete on backup, allow read/write deny delete on archive, install, media # everyone - allow read policy() { echo \ owner@:read_set:fd:allow,\ $1\ user:media:modify_set:fd:allow,\ user:admin:full_set:fd:allow,\ user:root:full_set:fd:allow,\ everyone@:read_set:fd:allow } # Backup - Allow everyone read, media & admin full permissions # deny deleting from media, install and archive chmod -R A=`policy user:media:dD:deny,` /tank/archive chmod -R A=`policy user:media:dD:deny,` /tank/install chmod -R A=`policy user:media:dD:deny,` /tank/media # allow deleting from backup chmod -R A=`policy` /tank/backup # Allow shares to be accessible from Windows chmod A+user:media:x:allow /tank/archive chmod A+user:media:x:allow /tank/install chmod A+user:media:x:allow /tank/media chmod A+user:media:x:allow /tank/backup -- This message posted from opensolaris.org _______________________________________________ storage-discuss mailing list storage-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/storage-discuss