> On 5. Dec 2023, at 19:46, Joel Carnat <[email protected]> wrote: > > Hi, > > I have just noticed that files created inside a folder that has rwx > permissions also inherits the execute permission. In the case of a Time > Machine backup, this is unwanted. > > # ls -adV /timemachine /timemachine/* /timemachine/*/*plist > drwxrwx--- 4 root users 4 Dec 5 16:58 /timemachine > owner@:rwxp-DaARWcCos:-------:allow > group@:rwxp-Da-R-c--s:-------:allow > everyone@:------a-R-c--s:-------:allow > drwx------+ 4 jca users 11 Dec 5 16:58 /timemachine/MacBook > Pro de Joel.sparsebundle > user:jca:rwxpdDaARWcCos:-------:allow > groupsid:Local System@:rwxpdDaARWcCos:-------:allow > -rwx------+ 1 jca users 502 Dec 5 16:56 /timemachine/MacBook > Pro de Joel.sparsebundle/Info.plist > user:jca:rwxpdDaARWcCos:-------:allow > groupsid:Local System@:rwxpdDaARWcCos:-------:allow > -rwx------+ 1 jca users 516 Dec 5 16:58 /timemachine/MacBook > Pro de Joel.sparsebundle/com.apple.TimeMachine.MachineID.plist > user:jca:rwxpdDaARWcCos:-------:allow > groupsid:Local System@:rwxpdDaARWcCos:-------:allow > -rwx------+ 1 jca users 220 Dec 5 16:58 /timemachine/MacBook > Pro de Joel.sparsebundle/com.apple.TimeMachine.SnapshotHistory.plist > user:jca:rwxpdDaARWcCos:-------:allow > groupsid:Local System@:rwxpdDaARWcCos:-------:allow > > I'd like folders to be 0700 and files 0600. > Is there a way to force the files to not be created executable? > > Thanks.
I did quite simple setup, I have per client share: drwx------ 4 tsoome root 6 dets 5 19:44 TimeMachine drwx------ 4 user1 root 7 dets 5 19:40 TimeMachine1 So this does limit who can access the share (I have abe=true), and I let macos to handle permissions inside the share. There is nothing else accessing this share than TM anyhow. rgds, toomas > > Le 02/12/2023 à 21:24, Guenther Alka a écrit : >> Small correction for inheritance on create files and folders acl (tm wants >> to create subfilders) >> If you want to separate backups from several users you can use the following >> three NFS v4 acl rules. >> If you have a Windows machine, you can set ACL from there (easier than >> console, or use my napp-it) as Windows ntfs ACL are quite identical to NFS >> v4 ACL beside deny rules. >> *on shared folder* >> - allow read to this folder only for everyone with inheritance disabled (to >> give access to share) >> - allow creation of files and folders for everyone to this folder only with >> inheritance enabled (to allow backups) >> When a user creates a folder via tm backup he is owner. >> You can use this to add rights for his own backup >> - allow owner full or modify permissions with inheritance to files and >> folders >> Set nbmand and oplock to on, aclinherit to passthrough (ZFS properties) >> Gea >>> Hi, >>> >>> I could manage to publish an SMB share to be used with Time Machine but I >>> still can't figure out which are the right permissions to set up. I read >>> https://docs.oracle.com/cd/E36784_01/html/E36835/ftyxi.html >>> <https://docs.oracle.com/cd/E36784_01/html/E36835/ftyxi.html#scrolltoc>, >>> created an smbuser group and two smbuser1, smbuser2 users, both belonging >>> to the smbuser group. The dataset is call rpool/timemachine. >>> >>> I ended up setting `chmod 1777 /timemachine` which allowed both users to be >>> used to create a backup. But that feels a bit too many permissions for me. >>> And as chmod breaks ACL inheritance, I understand that I should not use >>> this. >>> >>> What would be the proper ACL set to apply to get something like : any users >>> from the smbuser group can create/delete/rename their own files and >>> subdirectories, but can't read/modify others ? >>> >>> Thanks. >> *illumos <https://illumos.topicbox.com/latest>* / illumos-discuss / see >> discussions <https://illumos.topicbox.com/groups/discuss> + participants >> <https://illumos.topicbox.com/groups/discuss/members> + delivery options >> <https://illumos.topicbox.com/groups/discuss/subscription> Permalink >> <https://illumos.topicbox.com/groups/discuss/Te31e27e278d377ff-Mf2746846e83b567d0c6ea91e> > > -- > Bonne journée, > Joel C. > Tél: +33 663541230 > ------------------------------------------ illumos: illumos-discuss Permalink: https://illumos.topicbox.com/groups/discuss/Te31e27e278d377ff-Mbeaf4e73612fb02e2d1dba9d Delivery options: https://illumos.topicbox.com/groups/discuss/subscription
