Sunday, 19 July 2015

Investigating the Effect of NTACL Display Permissive Permissions

I needed to investigate the effect of the NTACL Display Permissive Permissions option, that’s by default turned off in 7-Mode, but tuneable; effectively on in cDOT until 8.3.1, and not tuneable; and then by default off in cDOT 8.3.1 and tuneable again.

The notes below are fairly raw lab re-creation steps, and they test 5 things.

What permissions does a UNIX client see when it’s accessing an NTFS qtree, to a file that the UNIX-NT mapped user has only got NT modify permissions?

1) On 7-Mode 8.1.2P4 with the option off
2) On 7-Mode 8.1.2P4 with the option on
3) On cDOT 8.2.3 (the option does not exist but is effectively on)
4) On cDOT 8.3.1 with the option off (default)
5) On cDOT 8.3.1 with the option on

And the conclusion we reach is that cDOT 8.3.1 behaves exactly like 7-Mode did with this option.

######################
######################
## Setting up in AD ##
######################
######################

See screenshot for New User MRSFTP.

######################
######################
## Set up on CENTOS ##
######################
######################

[root@localhost ~]# groupadd SFTPGROUP -g 12345
[root@localhost ~]# useradd SFTPUSER -u 12345 -g 12345 -p

###################################
###################################
## Re-creating on 7-Mode 8.1.2P4 ##
###################################
###################################

# N.B. We already have NFS and CIFS running on our 7-Mode system. To check:
#
# > nfs status
# NFS server is running.
#
# > cifs restart
# CIFS is already running.
#
# Also, we're using the default options nfs.ntacl_display_permissive_perms off. To check:
#
# > priv set diag
# *> options nfs.ntacl_display_permissive_perms
# nfs.ntacl_display_permissive_perms off

vol create TEST777 -s none aggr1 2g
qtree security /vol/TEST777 # Verify that the volume is NTFS security style
cifs shares -add TEST777 /vol/TEST777
cifs shares TEST777 # By default it gets everyone / Full Control
cifs access -delete TEST777 everyone
cifs access TEST777 "BUILTIN\Administrators" Full Control
cifs access TEST777 "NT AUTHORITY\Authenticated Users" Change
qtree create /vol/TEST777/FTPSHARE
qtree security /vol/TEST777/FTPSHARE # Verify that the qtree is NTFS security style
cifs shares -add FTPSHARE /vol/TEST777/FTPSHARE
cifs shares FTPSHARE # By default it gets everyone / Full Control
cifs access -delete FTPSHARE everyone
cifs access FTPSHARE "BUILTIN\Administrators" Full Control
cifs access FTPSHARE "NT AUTHORITY\Authenticated Users" Change
exportfs -p rw=10.10.10.64,root=10.10.10.64 /vol/TEST777/FTPSHARE
wrfile -a /etc/passwd SFTPUSER::12345:12345::/:
wrfile -a /etc/usermap.cfg LAB\MRSFTP == SFTPUSER

##################################
# Setting QTREE NTFS PERMISSIONS #
##################################

See screenshot

#####################
# Testing on CENTOS #
#####################

[root@localhost ~]# mkdir /mnt/7M812_FTPSHARE
[root@localhost ~]# mount 10.10.10.204:/vol/TEST777/FTPSHARE /mnt/7M812_FTPSHARE
[root@localhost ~]# cd /mnt/7M812_FTPSHARE
bash: cd: /mnt/7M812_FTPSHARE: Permission denied
[root@localhost ~]# su SFTPUSER
[SFTPUSER@localhost root]$ cd /mnt/7M812_FTPSHARE
[SFTPUSER@localhost 7M812_FTPSHARE]$ mkdir .ssh
[SFTPUSER@localhost 7M812_FTPSHARE]$ cd .ssh
[SFTPUSER@localhost .ssh]$ touch authorized_keys
[SFTPUSER@localhost .ssh]$ ls -alh
total 8.0K
drwx------. 2 SFTPUSER SFTPGROUP 4.0K Jul 19 07:36 .
drwx------. 4 root     root      4.0K Jul 19 07:35 ..
-rwx------. 1 SFTPUSER SFTPGROUP    0 Jul 19 07:36 authorized_keys

###################################
# And if we switch the option on? #
###################################

priv set diag
options nfs.ntacl_display_permissive_perms on

#####################
# Testing on CENTOS #
#####################

[SFTPUSER@localhost .ssh]$ ls -alh
total 8.0K
drwxrwxrwx. 2 SFTPUSER SFTPGROUP 4.0K Jul 19 07:36 .
drwxrwxrwx. 4 root     root      4.0K Jul 19 07:35 ..
-rwxrwxrwx. 1 SFTPUSER SFTPGROUP    0 Jul 19 07:36 authorized_keys

#########################################
# And if we switch the option back off? #
#########################################

priv set diag
options nfs.ntacl_display_permissive_perms on

#####################
# Testing on CENTOS #
#####################

[SFTPUSER@localhost .ssh]$ ls -alh
total 8.0K
drwx------. 2 SFTPUSER SFTPGROUP 4.0K Jul 19 07:36 .
drwx------. 4 root     root      4.0K Jul 19 07:35 ..
-rwx------. 1 SFTPUSER SFTPGROUP    0 Jul 19 07:36 authorized_keys

###############################
###############################
## Re-creating on cDOT 8.2.3 ##
###############################
###############################

# We already have a Vserver setup, and running NFS and CIFS, with an NTFS security style rootvol which is used the default export-policy. To check:
#
# ::> nfs show -vserver CIFSV1 -fields access
# vserver access
# ------- ------
# CIFSV1  true
#
# ::> cifs show -vserver CIFSV1 -fields status-admin
# vserver status-admin
# ------- ------------
# CIFSV1  up
#
# ::> volume show -vserver CIFSV1 -volume rootvol -fields security-style,policy
# vserver volume  policy  security-style
# ------- ------- ------- --------------
# CIFSV1  rootvol default ntfs

volume create  -vserver CIFSV1 -volume TEST777 -aggregate N1_aggr1 -size 2g -security-style NTFS
volume mount -vserver CIFSV1 -volume TEST777 -junction-path /TEST777
cifs share create -vserver CIFSV1 -share-name TEST777 -path /TEST777 -share-properties oplocks,browsable,changenotify -symlink-properties hide
cifs share access-control delete -vserver CIFSV1 -share TEST777 -user-or-group Everyone
cifs share access-control create -vserver CIFSV1 -share TEST777 -user-or-group "BUILTIN\Administrators" -permission Full_Control
cifs share access-control create -vserver CIFSV1 -share TEST777 -user-or-group "NT AUTHORITY\Authenticated Users" -permission change
qtree create -vserver CIFSV1 -volume TEST777 -qtree FTPSHARE -security-style NTFS
cifs share create -vserver CIFSV1 -share-name FTPSHARE -path /TEST777/FTPSHARE -share-properties oplocks,browsable,changenotify -symlink-properties hide
cifs share access-control delete -vserver CIFSV1 -share FTPSHARE -user-or-group Everyone
cifs share access-control create -vserver CIFSV1 -share FTPSHARE -user-or-group "BUILTIN\Administrators" -permission Full_Control
cifs share access-control create -vserver CIFSV1 -share FTPSHARE -user-or-group "NT AUTHORITY\Authenticated Users" -permission change
export-policy create -vserver CIFSV1 -policyname READONLY
export-policy rule create -vserver CIFSV1 -policyname READONLY -ruleindex 1 -protocol nfs -clientmatch 0.0.0.0/0 -rorule any -rwrule never -anon 65534 -superuser none -allow-suid true -allow-dev true
export-policy rule create -vserver CIFSV1 -policyname READONLY -ruleindex 2 -protocol cifs -clientmatch 0.0.0.0/0 -rorule any -rwrule any -anon 65534 -superuser none -allow-suid true -allow-dev true
volume modify -vserver CIFSV1 -volume TEST777 -policy READONLY
export-policy create -vserver CIFSV1 -policyname TEST777_FTPSHARE
export-policy rule create -vserver CIFSV1 -policyname TEST777_FTPSHARE -ruleindex 1 -protocol any -clientmatch 10.10.10.64 -rorule sys -rwrule sys -anon 65534 -superuser sys -allow-suid true -allow-dev true
qtree modify -vserver CIFSV1 -volume TEST777 -qtree FTPSHARE -export-policy TEST777_FTPSHARE
unix-group create -vserver CIFSV1 -name SFTPGROUP -id 12345
unix-user create -vserver CIFSV1 -user SFTPUSER -id 12345 -primary-gid 12345
name-mapping create -vserver CIFSV1 -direction unix-win -position 10 -pattern SFTPUSER -replacement LAB\\MRSFTP
name-mapping create -vserver CIFSV1 -direction win-unix -position 10 -pattern LAB\\MRSFTP -replacement SFTPUSER

##################################
# Setting QTREE NTFS PERMISSIONS #
##################################

See screenshot

#####################
# Testing on CENTOS #
#####################

[root@localhost ~]# mkdir /mnt/CM823_FTPSHARE
[root@localhost ~]# mount 10.10.10.246:TEST777/FTPSHARE /mnt/CM823_FTPSHARE
[root@localhost ~]# cd /mnt/CM823_FTPSHARE
bash: cd: /mnt/CM823_FTPSHARE: Permission denied
[root@localhost ~]# su SFTPUSER
[SFTPUSER@localhost root]$ cd /mnt/CM823_FTPSHARE
[SFTPUSER@localhost CM823_FTPSHARE]$ mkdir .ssh
[SFTPUSER@localhost CM823_FTPSHARE]$ cd .ssh
[SFTPUSER@localhost .ssh]$ touch authorized_keys
[SFTPUSER@localhost .ssh]$ ls -alh
total 8.0K
drwxrwxrwx. 2 SFTPUSER SFTPGROUP 4.0K Jul 19 05:22 .
drwxrwxrwx. 3 root     root      4.0K Jul 19 05:21 ..
-rwxrwxrwx. 1 SFTPUSER SFTPGROUP    0 Jul 19 05:22 authorized_keys

#######################################################
# What if we'd set Domain Admins to Modify only also? #
#######################################################

See screenshot

#####################
# Testing on CENTOS #
#####################

[SFTPUSER@localhost .ssh]$ ls -alh
total 8.0K
drwxrwxrwx. 2 SFTPUSER SFTPGROUP 4.0K Jul 19 05:22 .
drwxrwxrwx. 3 root     root      4.0K Jul 19 05:21 ..
-rwxrwxrwx. 1 SFTPUSER SFTPGROUP    0 Jul 19 05:22 authorized_keys

###############################
###############################
## Re-creating on cDOT 8.3.1 ##
###############################
###############################

# N.B. We already have a Vserver setup, and running NFS and CIFS, with an NTFS security style rootvol which is used the default export-policy
# To check:
#
# ::> nfs show -vserver SVM01 -fields access
# vserver access
# ------- ------
# SVM01   true
#
# ::> cifs show -vserver SVM01 -fields status-admin
# vserver status-admin
# ------- ------------
# SVM01   up
#
# ::> volume show -vserver SVM01 -volume SVM01_root -fields security-style,policy
# vserver volume     policy  security-style
# ------- ---------- ------- --------------
# SVM01   SVM01_root default ntfs
#
# And what is the current setting for "Display maximum NT ACL Permissions to NFS Client"
#
# ::> set adv
# ::*> nfs server show -vserver SVM01 -fields ntacl-display-permissive-perms
# vserver ntacl-display-permissive-perms
# ------- ------------------------------
# SVM01   disabled

volume create  -vserver SVM01 -volume TEST777 -aggregate NACLU6N1_aggr1 -size 2g -security-style NTFS
volume mount -vserver SVM01 -volume TEST777 -junction-path /TEST777
cifs share create -vserver SVM01 -share-name TEST777 -path /TEST777 -share-properties oplocks,browsable,changenotify -symlink-properties hide
cifs share access-control delete -vserver SVM01 -share TEST777 -user-or-group Everyone
cifs share access-control create -vserver SVM01 -share TEST777 -user-or-group "BUILTIN\Administrators" -permission Full_Control
cifs share access-control create -vserver SVM01 -share TEST777 -user-or-group "NT AUTHORITY\Authenticated Users" -permission change
qtree create -vserver SVM01 -volume TEST777 -qtree FTPSHARE -security-style NTFS
cifs share create -vserver SVM01 -share-name FTPSHARE -path /TEST777/FTPSHARE -share-properties oplocks,browsable,changenotify -symlink-properties hide
cifs share access-control delete -vserver SVM01 -share FTPSHARE -user-or-group Everyone
cifs share access-control create -vserver SVM01 -share FTPSHARE -user-or-group "BUILTIN\Administrators" -permission Full_Control
cifs share access-control create -vserver SVM01 -share FTPSHARE -user-or-group "NT AUTHORITY\Authenticated Users" -permission change
export-policy create -vserver SVM01 -policyname READONLY
export-policy rule create -vserver SVM01 -policyname READONLY -ruleindex 1 -protocol nfs -clientmatch 0.0.0.0/0 -rorule any -rwrule never -anon 65534 -superuser none -allow-suid true -allow-dev true
export-policy rule create -vserver SVM01 -policyname READONLY -ruleindex 2 -protocol cifs -clientmatch 0.0.0.0/0 -rorule any -rwrule any -anon 65534 -superuser none -allow-suid true -allow-dev true
volume modify -vserver SVM01 -volume TEST777 -policy READONLY
export-policy create -vserver SVM01 -policyname TEST777_FTPSHARE
export-policy rule create -vserver SVM01 -policyname TEST777_FTPSHARE -ruleindex 1 -protocol any -clientmatch 10.10.10.64 -rorule sys -rwrule sys -anon 65534 -superuser sys -allow-suid true -allow-dev true
qtree modify -vserver SVM01 -volume TEST777 -qtree FTPSHARE -export-policy TEST777_FTPSHARE
unix-group create -vserver SVM01 -name SFTPGROUP -id 12345
unix-user create -vserver SVM01 -user SFTPUSER -id 12345 -primary-gid 12345
name-mapping create -vserver SVM01 -direction unix-win -position 10 -pattern SFTPUSER -replacement LAB\\MRSFTP
name-mapping create -vserver SVM01 -direction win-unix -position 10 -pattern LAB\\MRSFTP -replacement SFTPUSER

# N.B.: The default export-policy in 8.3.X has no rules, hence we create them:

export-policy rule create -vserver SVM01 -policyname default -ruleindex 1 -protocol any -clientmatch 0.0.0.0/0 -rorule any -rwrule any -anon 65534 -superuser none -allow-suid true -allow-dev true

##################################
# Setting QTREE NTFS PERMISSIONS #
##################################

See screenshot

#####################
# Testing on CENTOS #
#####################

[root@localhost ~]# mkdir /mnt/CM831_FTPSHARE_NTACL_DISABLED
[root@localhost ~]# mount 10.10.10.101:TEST777/FTPSHARE /mnt/CM831_FTPSHARE_NTACL_DISABLED
[root@localhost ~]# cd /mnt/CM831_FTPSHARE_NTACL_DISABLED
bash: cd: /mnt/CM831_FTPSHARE_NTACL_DISABLED: Permission denied
[root@localhost ~]# su SFTPUSER
[SFTPUSER@localhost root]$ cd /mnt/CM831_FTPSHARE_NTACL_DISABLED
[SFTPUSER@localhost CM831_FTPSHARE_NTACL_DISABLED]$ mkdir .ssh
[SFTPUSER@localhost CM831_FTPSHARE_NTACL_DISABLED]$ cd .ssh
[SFTPUSER@localhost .ssh]$ touch authorized_keys
[SFTPUSER@localhost .ssh]$ ls -alh
total 8.0K
drwx------. 2 SFTPUSER SFTPGROUP 4.0K Jul 19 06:03 .
drwx------. 3 root     root      4.0K Jul 19 06:03 ..
-rwx------. 1 SFTPUSER SFTPGROUP    0 Jul 19 06:03 authorized_keys

#################################################################
# Changing the NTACL-DISPLAY-PERMISSIVE-PERMS Switch to ENABLED #
#################################################################

set adv
nfs server modify -vserver SVM01 -ntacl-display-permissive-perms enabled

#####################
# Testing on CENTOS #
#####################

[SFTPUSER@localhost .ssh]$ ls -alh
total 8.0K
drwxrwxrwx. 2 SFTPUSER SFTPGROUP 4.0K Jul 19 06:03 .
drwxrwxrwx. 3 root     root      4.0K Jul 19 06:03 ..
-rwxrwxrwx. 1 SFTPUSER SFTPGROUP    0 Jul 19 06:03 authorized_keys

#######################################################################
# Changing the NTACL-DISPLAY-PERMISSIVE-PERMS Switch back to DISABLED #
#######################################################################

set adv
nfs server modify -vserver SVM01 -ntacl-display-permissive-perms disabled

#####################
# Testing on CENTOS #
#####################

[SFTPUSER@localhost .ssh]$ ls -alh
total 8.0K
drwx------. 2 SFTPUSER SFTPGROUP 4.0K Jul 19 06:03 .
drwx------. 3 root     root      4.0K Jul 19 06:03 ..
-rwx------. 1 SFTPUSER SFTPGROUP    0 Jul 19 06:03 authorized_keys

No comments:

Post a Comment