napp it (or zfs) share permissions how to and open questions

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
T

tnkrer

New Member
Sep 20, 2016
28
1
3
54
I am setting up my shares with my specific requirements (which are not special, quite similar to what others will have). I still have a few questions. (Spread throughout in bold)

Users -
  1. root
  2. super user who has full access to everything (other than root)
  3. individual users user1 through user4
    1. Have write access to some folders in some shares and will be uploading files/folders, modifying files folders in those directories
    2. Have read access to some folders in some shares
    3. Have no access to some shares and no access to folders in some shares
  4. guest user - currently no access and no plans to add a guest user
Expected Behavior -
  • super user should be able to manage files anywhere
  • individual users will not see folders and shares that they do not have access to
  • individual users will see folders where they have read access, but will not be able to add/delete files or modify files if they do not have write access
Solaris ACL model (has details about each of those ACL permissions)
A typical filesystem will either have a visible share - photos or a hidden share - data$
All shares will have a deny for everyone and the permission that allows everyone (apparently gets created by default) will be deleted. Purpose of this is to make sure that none of the data is available to anyone without authorization. Is this a good idea?
deny everyone@
Code: 
 /usr/bin/chmod A+everyone@:rwxpdDaARWcCos:fd-----:deny photos
remove everyone@:allow
Code: 
/usr/bin/chmod A?- photos
? is the index of permission which allows everyone access
What I found out is if everyone:deny is first in the list of ACLs, none of the other permissions are evaluated, so no-one has access. Is that correct? What I have not found out yet is how to change the order of ACLs?

All shares will have full permissions for a superuser other than root
Code: 
/usr/bin/chmod A+user:home-admin:rwxpdDaARWcCos:fd-----:allow photos
or
Code: 
/usr/bin/chmod A+user:home-admin:full_set:fd-----:allow photos
The values for acl-inherit and aclmode are passthrough.
So any new directory or file created under this share gets the same permissions.

photos has directories - device1, device2 ...
one user has read-write access to one device and read access to common
Code: 
/usr/bin/chmod A+user:home-user1:write_set:fd-----:allow photos/device1
Code: 
/usr/bin/chmod A+user:home-user1:read_set:fd-----:allow photos/common
Open question - If I need to add access for another user at top level directory, how do I recursively set the access to lower directories and files? Have not found a command for that yet.

Open question - If user1 is to have access to photos/device1, does s/he also need access to parent folder photos?

Open question - Do I need fd in the inherit flags for all permissions to carry those permissions to any new subfolders
 
Last edited:
G

gea

Well-Known Member
Dec 31, 2010
3,161
1,195
113
DE
Solaris is a Unix operating system and ZFS is a Unix filesystem.
But unlike SAMBA, Sun build the following in their own kernel and ZFS based SMB server

- a share is always and only a property of a filesystem (makes previous version easy)
- SMB is integrated into the OS and ZFS, no extra config file, settings are ZFS properties.

- The server follows the idea of Windows using file/foler acl and additional ACL on a share itself
- The Solaris SMB server is not related on traditional Unix permissions but nfs4 ACL only.
Beside deny rules, they behave like Windows ntfs permissions as Windows respects first deny rules then alow rules while Solaris respects the order of rules

So to understand Solaris permissions you must understand Windows permissions, ex
How to Understand Those Confusing Windows 7 File/Share Permissions

Windows ACL are very fine granular with as many user and groups as you like. A group can contain users and groups. As this is not possible with traditional Unix groups, Solaris has additional Windows compatible SMB groups.

If you set permissions on a folder, you can decide if this permission is only valid for this folder or if it should be inherited for new files and folders within. If you set permissions to a folder below, you can remove the inheritance and set new rules with or without deeper inheritance (the fd / files, directory inheritance).

Windows alike ACL are too complex to set them via CLI beside very basic rules.
Connect from Windows as root and you can set all file/folder or share permissions from Windows. This may also help to understand ACL expecially with the advanced permission tab in the Windows security menu.

Other option is napp-it with the ACL extension that cares about order of rules.
Napp-it also includes an option to reset all ACL recursively to everyone or root (free option)

If you want a regular Windows admin, add this user to the SMB group administratirs on Solaris. But be aware that on Windows you can remove adminusers from permissions if you have full access ex on your own files. While admin is then able to modify ACL to regain access, Unix behaves different for user root. Root has always access even without a ACL rule.

Permissions are always needed for the files or folders that you want to access.
If you connect from a parent folder, you need permissions to traverse a folder path. If you enter a path directly you can access if you have permissions on this file/folder or due a direct or inherited rule, does not matter if you have access to a parent folder.
 
Last edited:
You must log in or register to reply here.
Top Bottom