[OpenIndiana-discuss] ACL problem

Guenther Alka alka at hfg-gmuend.de
Sun Dec 13 17:46:20 UTC 2015


Some principles with ACLs on Solarish CIFS

- They are too complicated for CLI, set them via Windows as root or a web-ui
- set aclinherit to restricted if you want to keep owner from parent 
directory (ex root)
- On Windows ntfs you can remove/lockout admin so admin has no access
    On Solarish root has always access and owner can always modify 
permissions
- Solarish use Windows SID, nfs4 ACL and Windows SMB groups (as Unix 
groups are not Windows compatibel)
- never use a chmod to Unix permissions like 750 as this removes ACL 
inheritance
- Do not set deny rules on Windows as they work different to Unix (First 
deny then allow vs keep order of rules)

What I would do for simplicity:
- create users and SMB groups with user as members on OI
- create folders on Windows as root
- assign allow permissions based on User and SMB groups on Windows
(without an allow you have no access)

If you need deny rules or access to files where admin is removed, you 
can use a Web-UI like my napp-it


Gea

Am 13.12.2015 um 16:02 schrieb Michelle:
> I'm definitely having problems with this inherit_only flag.
>
> What starts as this...
> drwxrwxrwx+  2 Joe Family          2 Dec 13 15:40 guest_folder
>
> 0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
>           /append_data/read_xattr/execute/delete_child/read_attributes
>           /delete/read_acl:file_inherit/dir_inherit:allow
>
> 1:group@:list_directory/read_data/add_file/write_data/add_subdirectory
>           /append_data/read_xattr/execute/delete_child/read_attributes
>           /delete/read_acl:file_inherit/dir_inherit:allow
> 2:everyone@:list_directory/read_data/add_file/write_data
>           /add_subdirectory/append_data/read_xattr/execute/delete_child
>           /read_attributes/delete/read_acl:file_inherit/dir_inherit:allow
>
> ... if a guest (who has access under "everyone) writes a file or makes a
> directory in that folder, then the ownership is not Joe, but the guest
> account.
>
> Adding the inherit_only flag changes to this...
>
> d---------+  2 Joe Family          2 Dec 13 15:40 guest_folder
>
> 0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
>           /append_data/read_xattr/execute/delete_child/read_attributes
>           /delete/read_acl:file_inherit/dir_inherit/inherit_only:allow
> 1:group@:list_directory/read_data/add_file/write_data/add_subdirectory
>           /append_data/read_xattr/execute/delete_child/read_attributes
>           /delete/read_acl:file_inherit/dir_inherit/inherit_only:allow
> 2:everyone@:list_directory/read_data/add_file/write_data
>           /add_subdirectory/append_data/read_xattr/execute/delete_child
>           /read_attributes/delete/read_acl:file_inherit/dir_inherit
>           /inherit_only:allow
>
> ...and not even Joe can see the directory guest_folder in an SFTP
> listing, despite being the owner and having the rights.
> There's something obvious going on here that I clearly haven't got to
> grips with.
>
> All I'm trying to do, is ensure that all files written within a
> directory, have the same ownership as the directory itself, no matter
> what account actually writes them.
>
>
>
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss




More information about the openindiana-discuss mailing list