[mdlug] Fw: am I for real - ACLs difficult to administer
David Lee Lambert
dlambert at bmtcarhaul.com
Mon Oct 27 13:07:51 EDT 2008
On Monday 13 October 2008 04:16:06 am Dean Durant wrote:
> This was the situation: HR is 2 people, who needed r/w access to a
> bunch of files. A boss, and a worker. This was non-negotiable. The
> "executive" group of 14 people needed read-only access to the files.
> And "Everyone else" had to be "no access". The server was
> Solaris. But the actual server was a "network appliance" running
> some kind of stripped down unix/linux/bsd kernel and doing nothing but
> file serving. It was exported out via the Solaris box.
Make two groups, "hr" and "hr-friends". Everyone in "hr" is also
in "hr-friends". Put the files inside two levels of directories:
drwxr-x--- root hr-friends /stuff
drwxrwsr-x root hr /realstuff
> Another scenario that came up: Desginers needed r/w access to CAD
> files. Engineers needed read-only. All the sales and marketing
> people they wanted to keep out under all circumstances.
Same solution. I guess it's a kludge, and you have to make sure that groups
are consistent with each other; but it will satisfy the security
requirement.
> In both cases, so far as I could tell, ugo was not good enough.
> Solaris supported acls, but the netapp didn't. Plus everything went
> out to the windows users via samba. Ultimately, it was the version of
> nfs, I learned, being used on the netapp, that didn't support ACLs.
Oh, NetApp? We bought one recently. I understand the license for NFS costs
extra and that even the base system is very expensive. :(
> [...] The netapp
> support ntfs permissions, nfs, and "mixed". But they don't seem to
> support unix acls as a "native" filesystem.
Well, UNIX ACLs are actually a "withdrawn draft" standard, which I think is
a shame too. :(
--
Software Developer, Precision Motor Transport Group, LLC
Work phone 517-349-3011 x223 * Yahoo! IM: davidleelambert
Cell phone 586-873-8813 * MSN IM: lamber45 at cse.msu.edu
** please send replies to davidl at lmert.com for non-business matters **
More information about the mdlug
mailing list