I've baned my head with MS Windows ACLs and Solaris CIFS/ZFS filesystems for
multiple hours before giving up--my guess is the implementation was broken or
the concepts are just too complicated to figure out the correct combination to
get it working for both Windows and Solaris users. Here's a less-than-ideal
script I run from cron to keep permissions open and usable for Solaris users.
#! /bin/ksh
# Fix permissions on network drive
#
MYNAME="fix-network-perms"
DESIRED_OWNER_GROUP="samba:dano"
BASEDIR=/putYourNetworkDirectoryNameHere
# built-in shell chmod doesn't handle NTFS-style ACLs:
CHMOD=/usr/bin/chmod
#
# Permissions
# All permissions:
#
read_data/write_data/append_data/read_xattr/write_xattr/execute/delete_child/read_attributes/write_attributes/delete/read_acl/write_acl/write_owner/synchronize:allow
#
FILE_OWNER_PERM="read_data/write_data/append_data/read_xattr/write_xattr/read_attributes/write_attributes/delete/read_acl/write_acl/synchronize:allow"
FILE_GROUP_PERM="read_data/write_data/append_data/read_xattr/write_xattr/read_attributes/write_attributes/delete/read_acl/synchronize:allow"
FILE_EVERYONE_PERM="read_data/write_data/append_data/read_xattr/write_xattr/read_attributes/write_attributes/delete/read_acl/synchronize:allow"
#
# For directory permissions, add execute/delete_child:
DIR_OWNER_PERM="read_data/write_data/append_data/read_xattr/write_xattr/execute/delete_child/read_attributes/write_attributes/delete/read_acl/write_acl/synchronize:allow"
DIR_GROUP_PERM="read_data/write_data/append_data/read_xattr/write_xattr/execute/delete_child/read_attributes/write_attributes/delete/read_acl/synchronize:allow"
DIR_EVERYONE_PERM="read_data/write_data/append_data/read_xattr/write_xattr/execute/delete_child/read_attributes/write_attributes/delete/read_acl/synchronize:allow"
if [ "$1" = '-h' ] ; then
echo "Fix file permissions on files under $BASEDIR to be"
echo " globally readable and owned by $DESIRED_OWNER_GROUP"
echo "Usage: $MYNAME"
echo "Example: $MYNAME"
exit
fi
if [ ! -d "$BASEDIR" ] ; then
echo "Directory $BASEDIR does not exist; exiting"
exit 1
fi
cd $BASEDIR
#---------------------------------------------------------
# Change Inheritence
# Suggested in
# http://blogs.sun.com/timthomas/entry/configuring_the_opensolaris_cifs_server
#
$CHMOD -R A=owner@:full_set:file_inherit/dir_inherit:allow $BASEDIR
$CHMOD -R A+group@:read_set/execute:file_inherit/dir_inherit:allow $BASEDIR
$CHMOD -R A+everyone@:read_set/execute:file_inherit/dir_inherit:allow $BASEDIR
#---------------------------------------------------------
# Change Ownership
find $BASEDIR -exec chown -R $DESIRED_OWNER_GROUP {} \;
#---------------------------------------------------------
# Change Directory permissions
find $BASEDIR -type d -exec $CHMOD A=owner@:${DIR_OWNER_PERM} {} \;
find $BASEDIR -type d -exec $CHMOD A+group@:${DIR_GROUP_PERM} {} \;
find $BASEDIR -type d -exec $CHMOD A+everyone@:${DIR_EVERYONE_PERM} {} \;
#---------------------------------------------------------
# Change File permissions
find $BASEDIR -type f -exec $CHMOD A=owner@:${FILE_OWNER_PERM} {} \;
find $BASEDIR -type f -exec $CHMOD A+group@:${FILE_GROUP_PERM} {} \;
find $BASEDIR -type f -exec $CHMOD A+everyone@:${FILE_EVERYONE_PERM} {} \;
# End of file
--
This message posted from opensolaris.org
_______________________________________________
security-discuss mailing list
[email protected]
