On Thu, 22 Nov 2001 at 18:35, Rafael 'Dido' Sevilla wrote:
> Someone who insists on using non-Free software! Rick Moen's FAQ
> includes links for Pine-style key bindings for Mutt around...
I know, cousin. I've read and re-read Rick Moen's rants and some other
documents bashing Pine's non-free license. And I agree with all of you,
don't get me wrong on that one. It's just that my darned self can't peel
itself away from this non-free bit of software.
Besides, we're still using a lot of Windows boxes here, so until I've
successfully ported at least the main bulk of our operations to Linux or
some BSD, I'm not pressuring myself to straighten out on this small
impurity. ;>
Which brings me to the real topic of my message.
Has anyone out there successfully worked with either Andreas Grunbacher's
ext2/ext3 ACL patches, or with XFS's ACLs? I have a fairly simple
requirement but can't, for the life of me, think of a clean way to
implement it using XFS's ACLs.
Allow me to expound on the current setup, hoping someone out there can
knock sense into the braindead me:
We currently have a centralized computer filing system where all data is
in /opt/data. The top (/opt/data) and second level (/opt/data/someshare)
directories are owned by the user root, but the contents are owned by
whoever created the files within. All files are owned by the group staff,
and have the symbolic permissions u=rwX,g=rwX,o=. Only administrators are
part of the group staff, preventing regular users from bypassing Samba's
ACLs and getting to the files via the shell.
Samba shares are then configured with entries similar to this:
[sharename]
comment = Hypothetical Share Name
path = /opt/data/sharename
create mode = 0660
directory mode = 0770
writeable = no
valid users = +smbadmin,user1,user2
write list = +smbadmin,user1
force group = staff
This sets the following effective permissions:
1. Users who are not explicitly listed in the "valid users" directive are
not granted access at all.
2. Users who are in "valid users" but not in "write list" only have
read-only access.
3. Users who are in both "valid users" and "write list" have read-write
access.
The "create mode", "directory mode", and "force group" directive ensure
that all files created follow the filesystem permissions as stated above.
As a backup measure, I have a nighly script that resets the group
ownership and the permissions using chown and chmod with their recursive
flags set.
This all works perfectly, except now I wante to migrate the workstations
slowly to Linux. The underlying filesystems are already XFS with ACLs
enabled, and NFS works great. I cannot figure out how to design the XFS
ACLs, though.
Here are some stumbling blocks I've run into:
1. When I create a directory and set the ACLs and default ACLs, then
create a directory or file within that directory, the ACLs are all set
properly. However, when I use chacl or setfacl to set a directory's ACL
bits, I cannot find an alternative to chmod's "X" bit, which only makes a
file executable if it was previously executable or is a directory. All the
files in the directory become executable to users who have access to them
and this is, to say the least, ugly with Bash's coloring (which makes them
all green). It's also possible that this will create some sort of security
problem later on, but that's not so clear to me yet.
2. When you move a file from somewhere else, the file's ACLs and
permissions are retained, which essentially messes things up. Note that
this is the same behavior with the ownerships and permissions on a
filesystem without ACLs.
3. Right now I find now straightforward way to simply add or remove a
particular ACL permission. I have to list a directory's ACLs, then re-do
them, and run into my problem in (1).
I see a number of things I can do:
1. I can write to PLUG to ask for help. I'm doing that now. ;>
2. I can ask on the XFS mailing list. I've done that already but am
thinking twice if I should ask again (rephrasing myself of course, hoping
that my new phrasing will help them understand my situation) because the
XFS developers are spread thin and I don't want to add any unecessary
load.
3. I can continue to use Samba, but I need to find a decent way (read:
GUI) that users can mount Samba shares that they need ala "mapping a
network drive" in Windows.
Anyone have comments? Thanks a lot in advance! :)
--> Jijo
--
Federico Sevilla III :: [EMAIL PROTECTED]
Network Administrator :: The Leather Collection, Inc.
GnuPG Key: <http://jijo.leathercollection.ph/jijo.gpg>
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
