On 05/05/99 15:53:45 you wrote:
In message 7F608EC0BDE6D111B53A00805FA7F7DA03A83938@TAHOE.netapp.com, "Muh lestein, Mark" writes:
A mixed qtree already works exactly as you want it to. In a mixed qtree the security of a file is based on the last security-setting operation. If an A CL is set which denies you access, but you still need to do something with a file, then as root you can change the security on any files/dirs in that qtree (using chmod, chown, or chgrp), which changes the security-style to UNIX. After that,
Ok, so far I've read this alot. No maybe I'm missing something 'cause I get the following errors trying to put it into practice.
What errors? These are exactly correct.
Here's a test on a directory w/ NTFS permissions allowing only full control to the owner:
In other words, you've told NTFS that Administrator can't read the directory or change permissions. All Administrator can do is assume ownership.
root@jagular: fs0/home/kelleher [130] # root@jagular: fs0/home/kelleher [130] # ls -ald test_dir drwx------ 2 kelleher users 4096 May 5 14:47 test_dir root@jagular: fs0/home/kelleher [131] # root@jagular: fs0/home/kelleher [131] # ls -al test_dir test_dir: Permission denied total 8
This is correct; root on UNIX will map as Administrator in the NT realm, so it can't read the directory.
root@jagular: fs0/home/kelleher [132] # root@jagular: fs0/home/kelleher [132] # chown 755 test_dir chown: test_dir: Not owner
Firstly, you should have done chmod, not chown.
Secondly, this would be correct... Administrator (root) does not have permission to change the file permissions.
root@jagular: fs0/home/kelleher [133] # root@jagular: fs0/home/kelleher [133] # chown root test_dir chown: test_dir: Not owner root@jagular: fs0/home/kelleher [134] #
This should have suceeded, if I understand the model correctly. I'm not sure why it didn't; perhaps it's a bug?
I can however su to the UNIX user, chmod it, and then get access to the file:
root@jagular: fs0/home/kelleher [134] # su kelleher jagular% jagular% chmod 755 test_dir jagular% jagular% exit jagular% root@jagular: fs0/home/kelleher [135] # root@jagular: fs0/home/kelleher [135] # ls -al test_dir total 72 drwxr-xr-x 2 kelleher users 4096 May 5 14:47 . drwxr-xr-x 25 kelleher users 32768 May 5 15:25 .. -rwx------ 1 kelleher users 0 May 5 14:47 test_file root@jagular: fs0/home/kelleher [136] # root@jagular: fs0/home/kelleher [136] #
Is this what you mean?
This all makes sense.
those files follow regular UNIX rules, which allows root full access. If the user wants to put an ACL back on afterwards, no problem.
We have found that using ACLs in a mixed qtree can be helpful in a number of situations. That's because ACLs are enforced even for NT Admins and root. For example, we found that some files were being accidentally deleted by root/Admin users, so we put an ACL on those files which allows only READ access to all users. That prevents deleting, even by root or NT Admins. Of course, if we actually want to delete the files we just change the permissions to allow that, since in a mixed qtree both root and NT Admins have a special dispensation tochange the permissions.
Sounds like the problem is too many people with root/Admin access. Your solution only requires these people to take an extra step (give themselves the permissions) before they accidentally mess something up. If I were you I'd work on getting rid of their access. (Not that it's an easy thing to do.)
In my experience many people are unwilling to take this approach, for reasons I can't quite fathom. They would much rather let incompetent people continue to work for them and spend effort trying to keep them from shooting themselves in the foot rather than spending the time to make them competent and/or getting another employee.
Bruce