Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Storage & Clustering Community Blog

Modified ACL by a user : How admins gets over the rights

Created: 08 Nov 2011 • Updated: 11 Jun 2014
Loic Bouquet's picture
0 0 Votes
Login to vote

Hello SFS admintsrators.

I work on SFS since one year, and i want share with you some tips.

For exemple, a customer give me a challenge about a modification of ACL on some directory.

The case : a user got rights on his directory to protect some datas and forbiden administrators or domain user to access to his datas.

The question : How administrators could get over the rights to backup, move, migrate or modify files and directory in this folder ?

The answers : 2 ways to solve this issue :

1. Export the CIFS share with the default option "no_full_acl". In this case, the documentation say the following.

  • full_acl : All Windows Access Control Lists (ACLs) are supported except in the case when you attempt using the Windows Explorer folder Properties > Security GUI to inherit down to a non-empty directory hierarchy while denying all access to yourself.
  • no_full_acl (Default) : Some advanced Windows Access Control Lists (ACLs) functionality does not work. For example, if you try to create ACL rules on files saved in a CIFS share using Windows explorer while allowing some set of file access for user1 and denying file access for user2, this is not possible when CIFS shares are exported using no_full_acl.
2. Get over the rights with the Unix level, on the mount point /vx/fs_name, like this : chmod 775 folder_deny_for_admins/
When you do that, you set the forder accessible for modifications by all Domain Users. If you use 777, you set the folder accesssible for modifications for everyone (be carrefull). This command is not recursively, but you can get right after, directly from the share with you favorite windows explorer :)
I prefer the second method, because it's less disturbing for the users, and you just need to modify rights for Domain Admins for exemple.
I'm waiting your comments.