-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "Philip" == Philip S Tellis <Philip> writes:
Philip> On Tue, 22 Jul 2003, Raj Mathur wrote:
>> I won't go into the details of the testing phase. Suffice it
>> to say
Philip> but could you put the details of your testing up on a
Philip> website near here... it would be good from a <puts on
Philip> running shoes> QA pov <runs>.
We'd already done most of the actual file-sharing testing with the
earlier (NT-based) domain controllers, so this time it was primarily
access testing. Some of the things we did:
- - Set 2770 on directories, and then check whether (a) files were
created with the correct modes and ownership and (b) whether a file
created by one user of a group was writable by other users in the
group or not. The 2 in 2770 forces the directory to pass permissions
(file/directory modes) and group ownership downward. In other words,
if you have a directory with mode 2770, all files created in it will
belong to the group the directory belongs to, and directories created
under it will also have identical ownership and permissions.
- - Set the ACLs through Linux and check the access control. Linux has
getfacl and setfacl for respectively getting the current ACLs on a
file or directory and setting them to a desired value.
We set ACLs for users and groups on directories and files to which
those users/groups otherwise didn't have access, and checked that they
could access the files afterwards.
I must say that XFS ACLs are very comprehensive. For instance, you
have the concept of a default ACL for a directory, which propagates
downward just like the 2xxx bit on a regular filesystem directory
mode. getfacl and setfacl also are quite comprehensive and
fortunately easily scriptable. E.g. one of the aforementioned shell
scripts descended a directory tree and automatically set the default
ACLs for all directories to their current ACL, after mangling the
current ACLs a bit.
- - Set ACLs through Winduhs and check the result. This was quite
similar -- we'd first check if the Linux (XFS) ACLs that actually got
applied appeared to match what had been set through Winduhs, and then
test the share with different users and groups. You can set
fine0grained access control in Winduhs by right-clicking on a file
name, selecting Properties and selecting the Security tab. Only works
with NT, 2000 & co, not with 95 or 98.
- - AD testing was pretty straightforward. Once Winbind managed to
display us the AD users and groups we didn't really have to test very
much. Samba sets supplementary groups under certain conditions, so
verifying that took a simple cat /proc/<pid>/status, which shows you
the primary user and group and supplementary groups of the smbd
process associated with a particular share in use.
Regards,
- -- Raju
- --
Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/
GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F
It is the mind that moves
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard <http://www.gnupg.org/>
iD8DBQE/HOgKyWjQ78xo0X8RAl/SAJ41oYb1OFwV669tIAyS6E48mXj0GwCglaWO
H6g7hhbu5SEhNoUFWZNBYn8=
=K9wH
-----END PGP SIGNATURE-----
_______________________________________________
ilugd mailing list
[EMAIL PROTECTED]
http://frodo.hserus.net/mailman/listinfo/ilugd
