Hi everyone,
I hope the developers will not mind my revisiting of ACL implementation on
XFS. A little overview: the current system has an entire tree of data
shared via a Samba server without ACLs, but handling its own "fine
grained" permissions via the "valid users", "read list", and "write list"
parameters defined per share. I am attempting to migrate this system so
that there will be fine-grained permissions via XFS ACLs, to be shared via
both Samba and NFS simultaneously.
My initial thought was to create two groups per existing Samba share:
share-ro, share-rw. This assumes that the shares are not world-readable
and/or world-writable, but I will have to tackle that (these are rough
thoughts). Then I can use ACLs to provide the read-only and read-write
permissions for these two groups. On major drawback I noticed with this,
though, is that changes to the groups are not implemented immediately.
This can be bad in a number of situations.
Skipping the groups altogether and listing the users one-by-one in the
ACLs is a stricter way of implementing things. I do not know how this can
be managed in the long-term, though. With pure Samba, I just had to read
the smb.conf and make sure that the "ACLs" there were correct. A Samba
reload immediately effected the changes.
I was thinking of creating some script, that would store the ACLs for each
share, so that it is this that can be checked periodically to make sure
that the permissions are correct. When paranoid, this script (which
contains the ACLs) could be run, which would then "synchronize" the actual
ACLs with those stored on-script. I'm not quite sure how to attack this,
though, and do not know if this is really how ACLs are supposed to be
managed.
I'm sure ACLs are not new to XFS, although both ACLs as well as XFS are
relatively new to Linux. Maybe someone out there has done a similar
medium-scale (I don't consider this setup large-scale) implementation of
ACLs? I am completely in the dark as far as how this is done "the right
way".
As far as Samba and ACLs are concerned, I'm even more in the dark. I've
read that with ACL support certain Windows-based ACL editting tools can be
used. Are there any other benefits aside from this?
These aren't directly XFS-related anymore, but I am hoping that someone on
the list has done something like this and is willing to share some light
with a newbie (as far as ACLs are concerned).
Also I noticed that the recently-implemented recursion of chacl can't be
compounded with say, '-b' to recursively set both default as well as file
access permissions. I'm not complaining, though, as thanks to previous
responders I've found out that I can use find and/or find + xargs to do
the recursion work.
Thanks in advance!
--> Jijo
--
Federico Sevilla III :: jijo@xxxxxxxxxxxxxxxxxxxx
Network Administrator :: The Leather Collection, Inc.
GnuPG Key: <http://www.leathercollection.ph/jijo.gpg>
|