4

I've been doing some research into OpenSolaris and ZFS for use in a NAS.

Thus far I have created the following:

/tank/projects

/tank/storage

/tank/developer

/tank/sandbox

The total space allocated for tank is 3.4Tb (RAIDZ2). Developers mount is our Subversion repository, it should be locked so only the sysadmins have access to that content plus those in the suDevelopers group.

SandBox is a play area, it's all open doors, read/write/delete whatever.

I'm wondering how I'd achieve the following, whether I'd have to go to using ACLs or just standard Unix permissions.

There are three main groups of users of this NAS, this is in the hierarchy of users. There are no ADs or anything else apart from CIFS to share this NAS.

  • suDevelopers They have access to all the content in tank.

  • suStaff These users are the staff at the premises, they should have access to everything except for the developer zfs in the tank.

  • suContractors These users can only see the Storage folder and not be able to access the others.

The problem is that some files on the storage area contain sensitive information (serial numbers, license keys) we don't want the contractors to see. Can we set those permissions up in Windows by the user who put the file there and they will automatically set to the right place?

I'm not sure how to do the above properly and whether it's ACLs or just CHMOD I should use.

Dennis Williamson
  • 62,149
  • 16
  • 116
  • 151
Leah Calum
  • 211
  • 2
  • 8

1 Answers1

3

Well, whether you use traditional POSIX permissions or ACLs, you'll be using chmod on Solaris. I would suggest you use ACLs in this case. You'll have to apply the ACL separately to each file system in the tank storage pool. I suggest setting the aclmode and aclinherit properties of each filesystem to passthrough as well.

I think it's preferable to set the ACLs on the Solaris side of things instead of doing it through windows.

Basically it would look something like:

chmod -R A=\
group:suDevelopers:full_set,\
group:sysadmins:full_set,\
/tank/projects

chmod -R A=\
group:suDevelopers:full_set:allow,\
group:suStaff:full_set:allow,\
group:suContractors:full_set:allow
/tank/storage

chmod -R A=everyone@:full_set:allow /tank/sandbox

and etc as necessary. You can also use read_set for read-only permissions.

There's a lot of other ways you can cut things with ACLs, they're an extremely powerful system on Solaris. You can read man chmod and man zfs for details.

There's also this article which gives some further examples.

Also make sure you are using /usr/bin/chmod instead of /usr/gnu/bin/chmod which I believe is the default.

Kamil Kisiel
  • 12,184
  • 7
  • 48
  • 69