Nov 062015
 

ACL set codes

insta-25
Working with permissions on NAS4FREE shell is pleasant and enjoyable experience …. *cough*, *cough*.

$ getfacl /tank/shared

# file: /tank/shared
# owner: aduser
# group: 500
                         [email protected]:rwxpD-a-R-c---:------:allow
                            [email protected]:rwxpD-a-R-c---:------:allow
                      group:aduser:rwxpDdaARWcCo-:fd----:allow
 group:adgroup_shared_share_access:rwxpDdaARWc---:fd----:allow


full_set = rwxpdDaARWcCos = all permissions
modify_set = rwxpdDaARWc–s = all permissions except write_acl, write_owner
read_set = r—–a-R-c— = read_data, read_attributes, read_xattr, read_acl
write_set = -w-p—A-W—- = write_data, append_data, write_attributes, write_xattr
NFSv4 ACL legend (read from top, down and exit on first match)

            
                 [email protected]:--------------:-------:deny
                 [email protected]:rwxp---A-W-Co-:-------:allow
                 [email protected]:-w-p----------:-------:deny
                 [email protected]:r-x-----------:-------:allow
              [email protected]:-w-p---A-W-Co-:-------:deny
              [email protected]:r-x---a-R-c--s:-------:allow
                        ||||||||||||||:|||||||
           (r)read data +|||||||||||||:||||||+ (I)nherited
           (w)rite data -+||||||||||||:|||||+- (F)ailed access (audit)
              e(x)ecute --+|||||||||||:||||+-- (S)uccess access (audit)
               a(p)pend ---+||||||||||:|||+--- (n)o propagate
               (d)elete ----+|||||||||:||+---- (i)nherit only
         (D)elete child -----+||||||||:|+----- (d)irectory inherit
          read (a)ttrib ------+|||||||:+------ (f)ile inherit
         write (A)ttrib -------+||||||
           (R)ead xattr --------+|||||
          (W)rite xattr ---------+||||
             read a(c)l ----------+|||
            write a(C)l -----------+||
         change (o)wner ------------+|
                   sync -------------+

 

Changing permissions over NAS4FREE console is possible

setfacl -m u:aduser:rwxpdaARWc:fd:allow folderHere
setfacl -m g:adgroup_shared_share_access:rwxpDaARWcCo:fd:allow shared/

But it’s probably easier to manage it from Windows workstation

Pick one responsible user and grant him/her SeDiskOperatorPrivilege

net rpc rights grant aduser SeDiskOperatorPrivilege -U adadmin
net rpc rights list accounts -P
net rpc rights list -P

Also add in NAS4FREE web interface under Services|CIFS/SMB|Share|Edit|Auxiliary parameters

admin users = aduser
valid users = @adgroup_shared_share_access, @"ADgroup Shared Share Access"
write list = @adgroup_shared_share_access, @"ADgroup Shared Share Access"

And just let him do the hard work of dealing with other users.

Useful links

https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

http://wiki.nas4free.org/doku.php?id=documentation:setup_and_user_guide:services_cifs_smb_samba

http://wiki.nas4free.org/doku.php?id=documentation:setup_and_user_guide:services_cifs_smb_shares


May 072015
 

These pesky SeLinux commands that are just impossible to remember

insta-06

We need some tools

yum install policycoreutils-python -y 

Non-default location for homedirs

# say user dyzio comes from AD/LDAP and lives under /users/d/dyzio
mkdir -p /users/{a..z} # precreate home_root_t
chcon -t home_root_t /users
semanage fcontext -a -t home_root_t "/users(/.*)?"
restorecon -R -v /users

# if you need to autocreate home dirs you'll need 
yum install -y oddjob-mkhomedir
# and for AD users "usepasswd=True" in this file
vim /etc/selinux/semanage.conf
# this will check user entry in ldap and set correct security context "user_home_t" on user home

Samba

semanage fcontext -a -t samba_share_t "/srv/shared(/.*)?"
restorecon -R -v /srv/shared

Apache

setsebool -P httpd_can_sendmail on

Assign the appropriate Selinux security context to our custom web app directories. This grants Apache permissions to access them.

chcon -Rv --type=httpd_sys_content_t /webapps/apps/app1/public_html
chcon -Rv --type=httpd_sys_content_t /webapps/logs/app1/