Re: [discuss] What ACL for Time Machine shares?

Tue, 05 Dec 2023 11:04:03 -0800 

Hi all,



Hi,

I could manage to publish an SMB share to be used with Time Machine
but I still can't figure out which are the right permissions to set
up. I read
https://docs.oracle.com/cd/E36784_01/html/E36835/ftyxi.html


<https://docs.oracle.com/cd/E36784_01/html/E36835/ftyxi.html#scrolltoc>

[1], created an smbuser group and two smbuser1, smbuser2 users, both
belonging to the smbuser group. The dataset is call
rpool/timemachine.

I ended up setting `chmod 1777 /timemachine` which allowed both
users to be used to create a backup. But that feels a bit too many
permissions for me. And as chmod breaks ACL inheritance, I
understand that I should not use this.

What would be the proper ACL set to apply to get something like :
any users from the smbuser group can create/delete/rename their own
files and subdirectories, but can't read/modify others ?
A few years back, I transferred a large amount of existing data onto zfs datasets and used the following commands to update the permissions. Basically I have things set that user and group have full access to files and directories and other users merely have the ability to see that the files exist (but can't read the file contents, nor create new data). These acls also set inheritance so that the permission sets follow for newly created files and directories. I have a share set up for Time Machine using these ACLs and it seems to work properly for me.
find . -type d -exec /usr/bin/chmod A=owner@:rwxpdDaARWcCos:dI:allow,owner@:rwpdDaARWcCos:fI:allow,group@:rwxpdDaARWcCos:dI:allow,group@:rwpdDaARWcCos:fI:allow,everyone@:r-x---a-R-c--s:dI:allow,everyone@:r-----a-R-c--s:fI:allow {} \;
find . -type f -exec /usr/bin/chmod A=owner@:rwpdDaARWcCos:f:allow,group@:rwxpdDaARWcCos:dI:allow,group@:rwpdDaARWcCos:f:allow,everyone@:r-----a-R-c--s:f:allow {} \;
I use the following document as the "secret decoder ring" for understanding the permissions. 

https://docs.oracle.com/cd/E18752_01/html/819-5461/gbacb.html#gbbht

Hope this is of use!

Best,

Bill

------------------------------------------
illumos: illumos-discuss
Permalink: 
https://illumos.topicbox.com/groups/discuss/Te31e27e278d377ff-M0287bc48ebff1961a8044e83
Delivery options: https://illumos.topicbox.com/groups/discuss/subscription

Reply via email to