Hi--
I need to collect some more info:
1. What Solaris release is this?
2. Send me the output of this command on the file system below:
# zfs get aclmode,aclinherit pool/dataset
3. What copy command are you using to copy testfile?
In addition, are you using any options.
Thanks,
Cindy
On 01/28/10 14:37, CD wrote:
Hey, thanks for replying!
I've been accessing my server with samba, but now that I'm switching
over to nfs, I can't seem to get the ACL right..
Basically, moving and overwriting files seems to work fine. But if I
copy a file - either from an external source or internally on the server
- the permissions get messed up. Either I lose permission to write to
the file, or I lose all permissions..
My access hierarchy:
1. Master group with full access to all files on server
2. Master group with only read access to all files on server
3. Local group with rw access to only this filesystem
4. Local group with read access to only this filesystem
5. Deny everyone else
The template used on the filesystem:
group:su:full_set:f:allow,\
group:su:full_set:d:allow,\
group:su::f:deny,\
group:su::d:deny,\
group:vu:read_set:f:allow,\
group:vu:read_set:d:allow,\
group:vu:wxpdDAWCos:f:deny,\
group:vu:wxpdDAWCos:d:deny,\
group:isorw:full_set:f:allow,\
group:isorw:full_set:d:allow,\
group:isorw::f:deny,\
group:isorw::d:deny,\
group:isor:read_set:f:allow,\
group:isor:read_set:d:allow,\
group:isor:wxpdDAWCos:f:deny,\
group:isor:wxpdDAWCos:d:deny,\
everyone@::f:allow,\
everyone@::d:allow,\
everyone@:full_set:f:deny,\
everyone@:full_set:d:deny \
If I make a new file on the server, the permissions looks fine, and I
get full access:
----------+ 1 1000 workers 0 Jan 28 20:35 testfile
group:su:rwxpdDaARWcCos:------I:allow
group:su:--------------:------I:deny
group:vu:r-----a-R-c---:------I:allow
group:vu:-wxpdD-A-W-Cos:------I:deny
group:isorw:rwxpdDaARWcCos:------I:allow
group:isorw:--------------:------I:deny
group:isor:r-----a-R-c---:------I:allow
group:isor:-wxpdD-A-W-Cos:------I:deny
everyone@:--------------:------I:allow
everyone@:rwxpdDaARWcCos:------I:deny
If I make a copy of the file, however, it gets messy:
----------+ 1 1000 workers 0 Aug 29 2022 testfile_copy
group:su:rwxp----------:-------:deny
group:su:rwxpdDaARWcCos:------I:allow
group:su:--------------:------I:deny
group:vu:r-------------:-------:deny
group:vu:r-----a-R-c---:------I:allow
group:vu:-wxpdD-A-W-Cos:------I:deny
group:isorw:rwxp----------:-------:deny
group:isorw:rwxpdDaARWcCos:------I:allow
group:isorw:--------------:------I:deny
group:isor:r-------------:-------:deny
group:isor:r-----a-R-c---:------I:allow
group:isor:-wxpdD-A-W-Cos:------I:deny
everyone@:--------------:------I:allow
everyone@:----dDaARWcCos:------I:deny
owner@:rwxp----------:-------:deny
owner@:-------A-W-Co-:-------:allow
group@:rwxp----------:-------:deny
group@:--------------:-------:allow
everyone@:rwxp---A-W-Co-:-------:deny
everyone@:------a-R-c--s:-------:allow
Why does the extra entries get added? The extra entry at the top, seem
to block me from accessing the file.
On 01/25/2010 09:18 PM, Cindy Swearingen wrote:
Hi CD,
Practical in what kind of environment? What are your goals?
Do you want the ACL deny entries to be inherited?
Do you plan to use CIFS to access these files + ACLs from
systems running Windows?
Thanks,
Cindy
On 01/25/10 07:21, CD wrote:
Hello forum.
I'm in the process of re-organizing my server and ACL-settings.
I've seen so many different ways of doing ACL, which makes me wonder
how I should do it myself.
This is obviously the easiest way, only describing the positive
permissions:
/usr/bin/chmod -R A=\
group:sa:full_set:fd:allow,\
group:vk:read_set:fd:allow \
However, I've seen people split each line, so you getone for each
inheritance-setting:
group:sa:full_set:f:allow,\
group:sa:full_set:d:allow,\
group:vk:read_set:f:allow,\
group:vk:read_set:d:allow \
And some include all negative permissions, like this:
group:sa:full_set:f:allow,\
group:sa:full_set:d:allow,\
group:sa::f:deny,\
group:sa::d:deny,\
group:vk:read_set:f:allow,\
group:vk:read_set:d:allow,\
group:vk:wxpdDAWCos:f:deny,\
group:vk:wxpdDAWCos:d:deny,\
everyone@::f:allow,\
everyone@::d:allow,\
everyone@:full_set:f:deny,\
everyone@:full_set:d:deny \
- Which, I admit, looks more tidy and thoroughly done, but is it
practical?
_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
