-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>> "Philip" == Philip S Tellis <Philip> writes:
Philip> On Tue, 22 Jul 2003, Raj Mathur wrote: >> I won't go into the details of the testing phase. Suffice it >> to say Philip> but could you put the details of your testing up on a Philip> website near here... it would be good from a <puts on Philip> running shoes> QA pov <runs>. We'd already done most of the actual file-sharing testing with the earlier (NT-based) domain controllers, so this time it was primarily access testing. Some of the things we did: - - Set 2770 on directories, and then check whether (a) files were created with the correct modes and ownership and (b) whether a file created by one user of a group was writable by other users in the group or not. The 2 in 2770 forces the directory to pass permissions (file/directory modes) and group ownership downward. In other words, if you have a directory with mode 2770, all files created in it will belong to the group the directory belongs to, and directories created under it will also have identical ownership and permissions. - - Set the ACLs through Linux and check the access control. Linux has getfacl and setfacl for respectively getting the current ACLs on a file or directory and setting them to a desired value. We set ACLs for users and groups on directories and files to which those users/groups otherwise didn't have access, and checked that they could access the files afterwards. I must say that XFS ACLs are very comprehensive. For instance, you have the concept of a default ACL for a directory, which propagates downward just like the 2xxx bit on a regular filesystem directory mode. getfacl and setfacl also are quite comprehensive and fortunately easily scriptable. E.g. one of the aforementioned shell scripts descended a directory tree and automatically set the default ACLs for all directories to their current ACL, after mangling the current ACLs a bit. - - Set ACLs through Winduhs and check the result. This was quite similar -- we'd first check if the Linux (XFS) ACLs that actually got applied appeared to match what had been set through Winduhs, and then test the share with different users and groups. You can set fine0grained access control in Winduhs by right-clicking on a file name, selecting Properties and selecting the Security tab. Only works with NT, 2000 & co, not with 95 or 98. - - AD testing was pretty straightforward. Once Winbind managed to display us the AD users and groups we didn't really have to test very much. Samba sets supplementary groups under certain conditions, so verifying that took a simple cat /proc/<pid>/status, which shows you the primary user and group and supplementary groups of the smbd process associated with a particular share in use. Regards, - -- Raju - -- Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F It is the mind that moves -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard <http://www.gnupg.org/> iD8DBQE/HOgKyWjQ78xo0X8RAl/SAJ41oYb1OFwV669tIAyS6E48mXj0GwCglaWO H6g7hhbu5SEhNoUFWZNBYn8= =K9wH -----END PGP SIGNATURE----- _______________________________________________ ilugd mailing list [EMAIL PROTECTED] http://frodo.hserus.net/mailman/listinfo/ilugd