VMSysAdmin

When you need another brain

Using zfs ACLs to protect CIFS shares on OpenSolaris

with 3 comments

So you have created your cifs share and joined the AD domain. Now you want your domain users to have write access to the share.

This is what worked for me:

I’ve created smbusers group on Solaris:

# groupadd smbusers

Set up idmap to map your domain users to smbusers unix group, and map an administrator user to root user (so administrator is able to have full control). I’ve also added the line to map existing windows users to unix users, otherwise the system will use ephemeral UIDs.

idmap add winuser:*@vmsysadmin.com unixuser:*
idmap add winuser:administrator@vmsysadmin.com unixuser:root
idmap add “wingroup:Domain Users@vmsysadmin.com” unixgroup:smbusers

Now nuke the permissions on the cifs share, we will create our own:
# chmod A- /spool/cifs1

# ls -vd /spool/cifs1
drwxr-xr-x 2 root root 2 Jan 18 11:37 /spool/cifs1
0:owner@::deny
1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
2:group@:add_file/write_data/add_subdirectory/append_data:deny
3:group@:list_directory/read_data/execute:allow
4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
5:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow

Note that root (and domain administrator) has full access, but your smbusers do not have permissions to write or read the directories created by domain admin. If you want everyone to read the directories and files created by administrator, change the #5 ACL entry to propagate the permissions to the lower levels:

# chmod A5=everyone@:list_directory/read_data/read_xattr/execute/read_attributes/read_acl/synchronize:file_inherit/dir_inherit:allow /spool/cifs1

Now your users are able to read eveything in /spool/cifs. If you want your users to create and delete each other’s files, simply change group ownership and allow group to write:

# chgrp smbusers /spool/cifs1
# chmod g+w /spool/cifs1

I’d like to have a more precise permissions control though – users can only delete own files, but can read everything, and administrator can delete everything.

So we will not allow a simple group write, but instead will use ACLs for finer control.

Clear existing extended permissions
# chmod A- /spool/cifs1

# ls -vd /spool/cifs1
drwxr-xr-x 3 root root 4 Jan 18 13:40 /spool/cifs1
0:owner@::deny
1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
2:group@:add_file/write_data/add_subdirectory/append_data:deny
3:group@:list_directory/read_data/execute:allow
4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
5:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow

Allow owner to create/delete objects and propagate the inheritance of owner’s ACLs
# chmod A1=owner@:list_directory/read_data/add_file/write_data/add_subdirectory/append_data/write_xattr/execute/delete_child/write_attributes/delete/write_acl/write_owner:file_inherit/dir_inherit:allow /spool/cifs1

Allow smbusers group (mapped to Domain Users) to write to the top cifs share.
# chmod A2+group:smbusers:add_file/write_data/add_subdirectory/append_data:allow /spool/cifs1

Deny smbusers permissions to delete other users’ data
# chmod A2+group:smbusers:delete_child/delete:file_inherit/dir_inherit:deny /spool/cifs1

Allow everyone to read everything.
# chmod A7=everyone@:list_directory/read_data/read_xattr/execute/read_attributes/read_acl/synchronize:file_inherit/dir_inherit:allow /spool/cifs1

Your directory should look like this:
# ls -vd /spool/cifs1
drwxr-xr-x+ 2 root root 2 Jan 18 14:13 /spool/cifs1
0:owner@::deny
1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/delete_child/write_attributes
/delete/write_acl/write_owner:file_inherit/dir_inherit:allow
2:group:smbusers:delete_child/delete:file_inherit/dir_inherit:deny
3:group:smbusers:add_file/write_data/add_subdirectory/append_data:allow
4:group@:add_file/write_data/add_subdirectory/append_data:deny
5:group@:list_directory/read_data/execute:allow
6:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
7:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:file_inherit/dir_inherit:allow

That’s it! Now your users can write, but cannot delete each other’s data. Domain Administrator login has full access to the share and can delete any user’s data.

Advertisements

Written by vmsysadmin

January 18, 2009 at 9:02 pm

Posted in OpenSolaris

Tagged with , , ,

3 Responses

Subscribe to comments with RSS.

  1. Thank you for the post. This works just as advertised and outstanding.

    I was trying to create additional access on directory so user in group (smbusers) could add/write files, but then no one could delete, not owner, not group, nor everyone. That is, set up directory as an archive, once file is added only read is allowed (except for su). Either this is not possible with ACL access privileges or I have them all twisted up. Any ideas?

    Gary

    March 17, 2009 at 9:54 pm

  2. Hi Gary,

    to set up a directory as an archive, simply omit “delete_child” and “delete” attributes from the owner ACL.

    Your owner ACL setup will be as follows:

    chmod A1=owner@:list_directory/read_data/add_file/write_data/add_subdirectory/append_data/write_xattr/execute/write_attributes/write_acl/write_owner:file_inherit/dir_inherit:allow /spool/cifs1

    Now the smbusers group members will be able to create, but not delete files and folders. Note that administrator account will still be able to delete everything, because it is mapped to the root user.

    I’ve tested this setup and it should work.

    Andrei

    March 18, 2009 at 3:47 am

  3. Thanks again.

    Delete is completely denied with above addition.

    What I can’t seem to get to work is to stop group and owner from editing or updating any file in the directory. No one can delete, but all members can update. I have tried to deny append_data and write_data, but then cannot add files. I would like owners to be able to add files to directory, read, but not change in any way… Not sure this is possible with ZFS ACL?

    Gary

    March 18, 2009 at 4:20 pm


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: