zfs discuss - Jan 2010 - Best practice for setting ACL

Hello forum.

I''m in the process of re-organizing my server and ACL-settings.
I''ve seen so many different ways of doing ACL, which makes me wonder
how
I should do it myself.


This is obviously the easiest way, only describing the positive permissions:
/usr/bin/chmod -R A=\
group:sa:full_set:fd:allow,\
group:vk:read_set:fd:allow \


However, I''ve seen people split each line, so you getone for each 
inheritance-setting:

group:sa:full_set:f:allow,\
group:sa:full_set:d:allow,\
group:vk:read_set:f:allow,\
group:vk:read_set:d:allow \


And some include all negative permissions, like this:

group:sa:full_set:f:allow,\
group:sa:full_set:d:allow,\
group:sa::f:deny,\
group:sa::d:deny,\
group:vk:read_set:f:allow,\
group:vk:read_set:d:allow,\
group:vk:wxpdDAWCos:f:deny,\
group:vk:wxpdDAWCos:d:deny,\
everyone@::f:allow,\
everyone@::d:allow,\
everyone@:full_set:f:deny,\
everyone@:full_set:d:deny \

- Which, I admit, looks more tidy and thoroughly done, but is it practical?

Hi CD,

Practical in what kind of environment? What are your goals?

Do you want the ACL deny entries to be inherited?

Do you plan to use CIFS to access these files + ACLs from
systems running Windows?

Thanks,

Cindy


On 01/25/10 07:21, CD wrote:
> Hello forum.
> 
> I''m in the process of re-organizing my server and ACL-settings.
> I''ve seen so many different ways of doing ACL, which makes me
wonder how
> I should do it myself.
> 
> 
> This is obviously the easiest way, only describing the positive 
> permissions:
> /usr/bin/chmod -R A=\
> group:sa:full_set:fd:allow,\
> group:vk:read_set:fd:allow \
> 
> 
> However, I''ve seen people split each line, so you getone for each 
> inheritance-setting:
> 
> group:sa:full_set:f:allow,\
> group:sa:full_set:d:allow,\
> group:vk:read_set:f:allow,\
> group:vk:read_set:d:allow \
> 
> 
> And some include all negative permissions, like this:
> 
> group:sa:full_set:f:allow,\
> group:sa:full_set:d:allow,\
> group:sa::f:deny,\
> group:sa::d:deny,\
> group:vk:read_set:f:allow,\
> group:vk:read_set:d:allow,\
> group:vk:wxpdDAWCos:f:deny,\
> group:vk:wxpdDAWCos:d:deny,\
> everyone@::f:allow,\
> everyone@::d:allow,\
> everyone@:full_set:f:deny,\
> everyone@:full_set:d:deny \
> 
> - Which, I admit, looks more tidy and thoroughly done, but is it practical?
> _______________________________________________
> zfs-discuss mailing list
> zfs-discuss at opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/zfs-discuss

Hey, thanks for replying!

I''ve been accessing my server with samba, but now that I''m
switching
over to nfs, I can''t seem to get the ACL right..

Basically, moving and overwriting files seems to work fine. But if I 
copy a file - either from an external source or internally on the server 
- the permissions get messed up. Either I lose permission to write to 
the file, or I lose all permissions..


My access hierarchy:
1. Master group with full access to all files on server
2. Master group with only read access to all files on server
3. Local group with rw access to only this filesystem
4. Local group with read access to only this filesystem
5. Deny everyone else


The template used on the filesystem:

group:su:full_set:f:allow,\
group:su:full_set:d:allow,\
group:su::f:deny,\
group:su::d:deny,\
group:vu:read_set:f:allow,\
group:vu:read_set:d:allow,\
group:vu:wxpdDAWCos:f:deny,\
group:vu:wxpdDAWCos:d:deny,\
group:isorw:full_set:f:allow,\
group:isorw:full_set:d:allow,\
group:isorw::f:deny,\
group:isorw::d:deny,\
group:isor:read_set:f:allow,\
group:isor:read_set:d:allow,\
group:isor:wxpdDAWCos:f:deny,\
group:isor:wxpdDAWCos:d:deny,\
everyone@::f:allow,\
everyone@::d:allow,\
everyone@:full_set:f:deny,\
everyone@:full_set:d:deny \



If I make a new file on the server, the permissions looks fine, and I 
get full access:
----------+  1 1000 workers        0 Jan 28 20:35 testfile
          group:su:rwxpdDaARWcCos:------I:allow
          group:su:--------------:------I:deny
          group:vu:r-----a-R-c---:------I:allow
          group:vu:-wxpdD-A-W-Cos:------I:deny
         group:isorw:rwxpdDaARWcCos:------I:allow
         group:isorw:--------------:------I:deny
     group:isor:r-----a-R-c---:------I:allow
     group:isor:-wxpdD-A-W-Cos:------I:deny
               everyone@:--------------:------I:allow
               everyone@:rwxpdDaARWcCos:------I:deny


If I make a copy of the file, however, it gets messy:
----------+  1 1000 workers        0 Aug 29  2022 testfile_copy
         group:su:rwxp----------:-------:deny
          group:su:rwxpdDaARWcCos:------I:allow
          group:su:--------------:------I:deny
          group:vu:r-------------:-------:deny
          group:vu:r-----a-R-c---:------I:allow
          group:vu:-wxpdD-A-W-Cos:------I:deny
         group:isorw:rwxp----------:-------:deny
         group:isorw:rwxpdDaARWcCos:------I:allow
         group:isorw:--------------:------I:deny
     group:isor:r-------------:-------:deny
     group:isor:r-----a-R-c---:------I:allow
     group:isor:-wxpdD-A-W-Cos:------I:deny
               everyone@:--------------:------I:allow
               everyone@:----dDaARWcCos:------I:deny
                  owner@:rwxp----------:-------:deny
                  owner@:-------A-W-Co-:-------:allow
                  group@:rwxp----------:-------:deny
                  group@:--------------:-------:allow
               everyone@:rwxp---A-W-Co-:-------:deny
               everyone@:------a-R-c--s:-------:allow

Why does the extra entries get added? The extra entry at the top, seem 
to block me from accessing the file.

On 01/25/2010 09:18 PM, Cindy Swearingen wrote:
> Hi CD,
>
> Practical in what kind of environment? What are your goals?
>
> Do you want the ACL deny entries to be inherited?
>
> Do you plan to use CIFS to access these files + ACLs from
> systems running Windows?
>
> Thanks,
>
> Cindy
>
>
> On 01/25/10 07:21, CD wrote:
>> Hello forum.
>>
>> I''m in the process of re-organizing my server and
ACL-settings.
>> I''ve seen so many different ways of doing ACL, which makes me
wonder
>> how I should do it myself.
>>
>>
>> This is obviously the easiest way, only describing the positive 
>> permissions:
>> /usr/bin/chmod -R A=\
>> group:sa:full_set:fd:allow,\
>> group:vk:read_set:fd:allow \
>>
>>
>> However, I''ve seen people split each line, so you getone for
each
>> inheritance-setting:
>>
>> group:sa:full_set:f:allow,\
>> group:sa:full_set:d:allow,\
>> group:vk:read_set:f:allow,\
>> group:vk:read_set:d:allow \
>>
>>
>> And some include all negative permissions, like this:
>>
>> group:sa:full_set:f:allow,\
>> group:sa:full_set:d:allow,\
>> group:sa::f:deny,\
>> group:sa::d:deny,\
>> group:vk:read_set:f:allow,\
>> group:vk:read_set:d:allow,\
>> group:vk:wxpdDAWCos:f:deny,\
>> group:vk:wxpdDAWCos:d:deny,\
>> everyone@::f:allow,\
>> everyone@::d:allow,\
>> everyone@:full_set:f:deny,\
>> everyone@:full_set:d:deny \
>>
>> - Which, I admit, looks more tidy and thoroughly done, but is it 
>> practical?
>> _______________________________________________
>> zfs-discuss mailing list
>> zfs-discuss at opensolaris.org
>> http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
>
>

Hi--

I need to collect some more info:

1. What Solaris release is this?

2. Send me the output of this command on the file system below:

# zfs get aclmode,aclinherit pool/dataset

3. What copy command are you using to copy testfile?
In addition, are you using any options.

Thanks,

Cindy

On 01/28/10 14:37, CD wrote:
> Hey, thanks for replying!
> 
> I''ve been accessing my server with samba, but now that
I''m switching
> over to nfs, I can''t seem to get the ACL right..
> 
> Basically, moving and overwriting files seems to work fine. But if I 
> copy a file - either from an external source or internally on the server 
> - the permissions get messed up. Either I lose permission to write to 
> the file, or I lose all permissions..
> 
> 
> My access hierarchy:
> 1. Master group with full access to all files on server
> 2. Master group with only read access to all files on server
> 3. Local group with rw access to only this filesystem
> 4. Local group with read access to only this filesystem
> 5. Deny everyone else
> 
> 
> The template used on the filesystem:
> 
> group:su:full_set:f:allow,\
> group:su:full_set:d:allow,\
> group:su::f:deny,\
> group:su::d:deny,\
> group:vu:read_set:f:allow,\
> group:vu:read_set:d:allow,\
> group:vu:wxpdDAWCos:f:deny,\
> group:vu:wxpdDAWCos:d:deny,\
> group:isorw:full_set:f:allow,\
> group:isorw:full_set:d:allow,\
> group:isorw::f:deny,\
> group:isorw::d:deny,\
> group:isor:read_set:f:allow,\
> group:isor:read_set:d:allow,\
> group:isor:wxpdDAWCos:f:deny,\
> group:isor:wxpdDAWCos:d:deny,\
> everyone@::f:allow,\
> everyone@::d:allow,\
> everyone@:full_set:f:deny,\
> everyone@:full_set:d:deny \
> 
> 
> 
> If I make a new file on the server, the permissions looks fine, and I 
> get full access:
> ----------+  1 1000 workers        0 Jan 28 20:35 testfile
>          group:su:rwxpdDaARWcCos:------I:allow
>          group:su:--------------:------I:deny
>          group:vu:r-----a-R-c---:------I:allow
>          group:vu:-wxpdD-A-W-Cos:------I:deny
>         group:isorw:rwxpdDaARWcCos:------I:allow
>         group:isorw:--------------:------I:deny
>     group:isor:r-----a-R-c---:------I:allow
>     group:isor:-wxpdD-A-W-Cos:------I:deny
>               everyone@:--------------:------I:allow
>               everyone@:rwxpdDaARWcCos:------I:deny
> 
> 
> If I make a copy of the file, however, it gets messy:
> ----------+  1 1000 workers        0 Aug 29  2022 testfile_copy
>         group:su:rwxp----------:-------:deny
>          group:su:rwxpdDaARWcCos:------I:allow
>          group:su:--------------:------I:deny
>          group:vu:r-------------:-------:deny
>          group:vu:r-----a-R-c---:------I:allow
>          group:vu:-wxpdD-A-W-Cos:------I:deny
>         group:isorw:rwxp----------:-------:deny
>         group:isorw:rwxpdDaARWcCos:------I:allow
>         group:isorw:--------------:------I:deny
>     group:isor:r-------------:-------:deny
>     group:isor:r-----a-R-c---:------I:allow
>     group:isor:-wxpdD-A-W-Cos:------I:deny
>               everyone@:--------------:------I:allow
>               everyone@:----dDaARWcCos:------I:deny
>                  owner@:rwxp----------:-------:deny
>                  owner@:-------A-W-Co-:-------:allow
>                  group@:rwxp----------:-------:deny
>                  group@:--------------:-------:allow
>               everyone@:rwxp---A-W-Co-:-------:deny
>               everyone@:------a-R-c--s:-------:allow
> 
> Why does the extra entries get added? The extra entry at the top, seem 
> to block me from accessing the file.
> 
> On 01/25/2010 09:18 PM, Cindy Swearingen wrote:
>> Hi CD,
>>
>> Practical in what kind of environment? What are your goals?
>>
>> Do you want the ACL deny entries to be inherited?
>>
>> Do you plan to use CIFS to access these files + ACLs from
>> systems running Windows?
>>
>> Thanks,
>>
>> Cindy
>>
>>
>> On 01/25/10 07:21, CD wrote:
>>> Hello forum.
>>>
>>> I''m in the process of re-organizing my server and
ACL-settings.
>>> I''ve seen so many different ways of doing ACL, which makes
me wonder
>>> how I should do it myself.
>>>
>>>
>>> This is obviously the easiest way, only describing the positive 
>>> permissions:
>>> /usr/bin/chmod -R A=\
>>> group:sa:full_set:fd:allow,\
>>> group:vk:read_set:fd:allow \
>>>
>>>
>>> However, I''ve seen people split each line, so you getone
for each
>>> inheritance-setting:
>>>
>>> group:sa:full_set:f:allow,\
>>> group:sa:full_set:d:allow,\
>>> group:vk:read_set:f:allow,\
>>> group:vk:read_set:d:allow \
>>>
>>>
>>> And some include all negative permissions, like this:
>>>
>>> group:sa:full_set:f:allow,\
>>> group:sa:full_set:d:allow,\
>>> group:sa::f:deny,\
>>> group:sa::d:deny,\
>>> group:vk:read_set:f:allow,\
>>> group:vk:read_set:d:allow,\
>>> group:vk:wxpdDAWCos:f:deny,\
>>> group:vk:wxpdDAWCos:d:deny,\
>>> everyone@::f:allow,\
>>> everyone@::d:allow,\
>>> everyone@:full_set:f:deny,\
>>> everyone@:full_set:d:deny \
>>>
>>> - Which, I admit, looks more tidy and thoroughly done, but is it 
>>> practical?
>>> _______________________________________________
>>> zfs-discuss mailing list
>>> zfs-discuss at opensolaris.org
>>> http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
>>
>>
>

I don''t have a lot of time to help here, but this post of mine might
possibly help with ACLs:

http://breden.org.uk/2009/05/10/home-fileserver-zfs-file-systems/

Cheers,
Simon
-- 
This message posted from opensolaris.org

It''s been a while, and finally I got the time to do some testing --

Actually I only knew about aclinherit -- which I''ve found is best set
as passthrough.
Setting aclmode to passthrough, solved the issues I experienced earlier.
Wonderful!

Thanks alot!
-- 
This message posted from opensolaris.org

So Cindy, Simon (or anyone else)... now that we are over a year past when Simon
wrote his excellent blog introduction, is there an updated "best
practices" for ACLs with CIFS?  Or, is this blog entry still the best word
on the street?

In my case, I am supporting multiple PCs (Workgroup) and Macs; running
OpenSolaris B134.

Thanks,
Craig
-- 
This message posted from opensolaris.org