You can set classic unix permissions to the files and folders.
This will reduce the NFS v4 ACL accordingly unless a new actions may
revert to ACL ex due upper folder ACL with inheritance.
In the end you must accept that you use SMB, the Microsoft sharing
protocol that is based on ntfs/ nfs v4 ACL with a whole different
permission idea than the old 700/600 syntax.
You have a more fine granular behaviour like
- full,
- modify,
- read&execute,
- read,
- write,
- special
that you can apply on folders and files, with or without inhertitance.
You can decide whether the ACL applies to
- this folder only,
- this folder subfolders and files,
- this folder and subfolders
- this folder and files
- subfolders and files only
- subfolders only
- files only
The Solaris SMB server is using nfs v4 only and all the time (a superset
of ntfs and nfs v4 acl and classic permissions). For a special behaviour
you need a proper ACL like an ACL that allows read only for this folder
subfolders and files with read & execute for a folder only.
see permission options in Windows SMB.
if you switch from basic to advanced/special permissions you get
additional settings like
- traverse, execute
- list folders, read data
- read attributes
- create files/write
- create folders/ append
and a lot of others
You can create any finegranular ACL list that you want. In the end I
would concentrate on users. Only those who created the backup (owner),
admins or a another group can access, all others not - easier to
configure as all users must authenticate prior using a share,
hope this helps
Gea
Hi,
I have just noticed that files created inside a folder that has rwx
permissions also inherits the execute permission. In the case of a
Time Machine backup, this is unwanted.
# ls -adV /timemachine /timemachine/* /timemachine/*/*plist
drwxrwx--- 4 root users 4 Dec 5 16:58 /timemachine
owner@:rwxp-DaARWcCos:-------:allow
group@:rwxp-Da-R-c--s:-------:allow
everyone@:------a-R-c--s:-------:allow
drwx------+ 4 jca users 11 Dec 5 16:58
/timemachine/MacBook Pro de Joel.sparsebundle
user:jca:rwxpdDaARWcCos:-------:allow
groupsid:Local System@:rwxpdDaARWcCos:-------:allow
-rwx------+ 1 jca users 502 Dec 5 16:56
/timemachine/MacBook Pro de Joel.sparsebundle/Info.plist
user:jca:rwxpdDaARWcCos:-------:allow
groupsid:Local System@:rwxpdDaARWcCos:-------:allow
-rwx------+ 1 jca users 516 Dec 5 16:58
/timemachine/MacBook Pro de
Joel.sparsebundle/com.apple.TimeMachine.MachineID.plist
user:jca:rwxpdDaARWcCos:-------:allow
groupsid:Local System@:rwxpdDaARWcCos:-------:allow
-rwx------+ 1 jca users 220 Dec 5 16:58
/timemachine/MacBook Pro de
Joel.sparsebundle/com.apple.TimeMachine.SnapshotHistory.plist
user:jca:rwxpdDaARWcCos:-------:allow
groupsid:Local System@:rwxpdDaARWcCos:-------:allow
I'd like folders to be 0700 and files 0600.
Is there a way to force the files to not be created executable?
Thanks.
Le 02/12/2023 à 21:24, Guenther Alka a écrit :
Small correction for inheritance on create files and folders acl (tm
wants to create subfilders)
If you want to separate backups from several users you can use the
following three NFS v4 acl rules.
If you have a Windows machine, you can set ACL from there (easier
than console, or use my napp-it) as Windows ntfs ACL are quite
identical to NFS v4 ACL beside deny rules.
*on shared folder*
- allow read to this folder only for everyone with inheritance
disabled (to give access to share)
- allow creation of files and folders for everyone to this folder
only with inheritance enabled (to allow backups)
When a user creates a folder via tm backup he is owner.
You can use this to add rights for his own backup
- allow owner full or modify permissions with inheritance to files
and folders
Set nbmand and oplock to on, aclinherit to passthrough (ZFS properties)
Gea
Hi,
I could manage to publish an SMB share to be used with Time Machine
but I still can't figure out which are the right permissions to set
up. I read
https://docs.oracle.com/cd/E36784_01/html/E36835/ftyxi.html
<https://docs.oracle.com/cd/E36784_01/html/E36835/ftyxi.html#scrolltoc>,
created an smbuser group and two smbuser1, smbuser2 users, both
belonging to the smbuser group. The dataset is call rpool/timemachine.
I ended up setting `chmod 1777 /timemachine` which allowed both
users to be used to create a backup. But that feels a bit too many
permissions for me. And as chmod breaks ACL inheritance, I
understand that I should not use this.
What would be the proper ACL set to apply to get something like :
any users from the smbuser group can create/delete/rename their own
files and subdirectories, but can't read/modify others ?
Thanks.
*illumos <https://illumos.topicbox.com/latest>* / illumos-discuss /
see discussions <https://illumos.topicbox.com/groups/discuss> +
participants <https://illumos.topicbox.com/groups/discuss/members> +
delivery options
<https://illumos.topicbox.com/groups/discuss/subscription> Permalink
<https://illumos.topicbox.com/groups/discuss/Te31e27e278d377ff-Mf2746846e83b567d0c6ea91e>
--
Guenther Ernst Alka
Dipl.-Ing (FH)
------------------------------------------
illumos: illumos-discuss
Permalink:
https://illumos.topicbox.com/groups/discuss/Te31e27e278d377ff-M62e6f7e5066756bd3a30d05d
Delivery options: https://illumos.topicbox.com/groups/discuss/subscription
