I needed to investigate the effect of the NTACL Display
Permissive Permissions option, that’s by default turned off in 7-Mode, but tuneable;
effectively on in cDOT until 8.3.1, and not tuneable; and then by default off
in cDOT 8.3.1 and tuneable again.
The notes below are fairly raw lab re-creation steps, and
they test 5 things.
What permissions does a UNIX client see when it’s
accessing an NTFS qtree, to a file that the UNIX-NT mapped user has only got NT
modify permissions?
1) On 7-Mode 8.1.2P4 with the option off
2) On 7-Mode 8.1.2P4 with the option on
3) On cDOT 8.2.3 (the option does not exist but is
effectively on)
4) On cDOT 8.3.1 with the option off (default)
5) On cDOT 8.3.1 with the option on
And the conclusion we reach is that cDOT 8.3.1 behaves exactly
like 7-Mode did with this option.
######################
######################
##
Setting up in AD ##
######################
######################
See
screenshot for New User MRSFTP.
######################
######################
##
Set up on CENTOS ##
######################
######################
[root@localhost
~]# groupadd SFTPGROUP -g 12345
[root@localhost
~]# useradd SFTPUSER -u 12345 -g 12345 -p
###################################
###################################
##
Re-creating on 7-Mode 8.1.2P4 ##
###################################
###################################
#
N.B. We already have NFS and CIFS running on our 7-Mode system. To check:
#
#
> nfs status
#
NFS server is running.
#
#
> cifs restart
#
CIFS is already running.
#
#
Also, we're using the default options nfs.ntacl_display_permissive_perms off.
To check:
#
#
> priv set diag
#
*> options nfs.ntacl_display_permissive_perms
#
nfs.ntacl_display_permissive_perms off
vol
create TEST777 -s none aggr1 2g
qtree
security /vol/TEST777 # Verify that the volume is NTFS security style
cifs
shares -add TEST777 /vol/TEST777
cifs
shares TEST777 # By default it gets everyone / Full Control
cifs
access -delete TEST777 everyone
cifs
access TEST777 "BUILTIN\Administrators" Full Control
cifs
access TEST777 "NT AUTHORITY\Authenticated Users" Change
qtree
create /vol/TEST777/FTPSHARE
qtree
security /vol/TEST777/FTPSHARE # Verify that the qtree is NTFS security style
cifs
shares -add FTPSHARE /vol/TEST777/FTPSHARE
cifs
shares FTPSHARE # By default it gets everyone / Full Control
cifs
access -delete FTPSHARE everyone
cifs
access FTPSHARE "BUILTIN\Administrators" Full Control
cifs
access FTPSHARE "NT AUTHORITY\Authenticated Users" Change
exportfs
-p rw=10.10.10.64,root=10.10.10.64 /vol/TEST777/FTPSHARE
wrfile
-a /etc/passwd SFTPUSER::12345:12345::/:
wrfile
-a /etc/usermap.cfg LAB\MRSFTP == SFTPUSER
##################################
#
Setting QTREE NTFS PERMISSIONS #
##################################
See
screenshot
#####################
#
Testing on CENTOS #
#####################
[root@localhost
~]# mkdir /mnt/7M812_FTPSHARE
[root@localhost
~]# mount 10.10.10.204:/vol/TEST777/FTPSHARE /mnt/7M812_FTPSHARE
[root@localhost
~]# cd /mnt/7M812_FTPSHARE
bash:
cd: /mnt/7M812_FTPSHARE: Permission denied
[root@localhost
~]# su SFTPUSER
[SFTPUSER@localhost
root]$ cd /mnt/7M812_FTPSHARE
[SFTPUSER@localhost
7M812_FTPSHARE]$ mkdir .ssh
[SFTPUSER@localhost
7M812_FTPSHARE]$ cd .ssh
[SFTPUSER@localhost
.ssh]$ touch authorized_keys
[SFTPUSER@localhost
.ssh]$ ls -alh
total
8.0K
drwx------. 2 SFTPUSER SFTPGROUP 4.0K
Jul 19 07:36 .
drwx------. 4 root root
4.0K Jul 19 07:35 ..
-rwx------. 1 SFTPUSER SFTPGROUP 0 Jul 19 07:36 authorized_keys
###################################
#
And if we switch the option on? #
###################################
priv
set diag
options
nfs.ntacl_display_permissive_perms on
#####################
#
Testing on CENTOS #
#####################
[SFTPUSER@localhost
.ssh]$ ls -alh
total
8.0K
drwxrwxrwx. 2 SFTPUSER SFTPGROUP 4.0K
Jul 19 07:36 .
drwxrwxrwx. 4 root root
4.0K Jul 19 07:35 ..
-rwxrwxrwx. 1 SFTPUSER SFTPGROUP 0 Jul 19 07:36 authorized_keys
#########################################
#
And if we switch the option back off? #
#########################################
priv
set diag
options
nfs.ntacl_display_permissive_perms on
#####################
#
Testing on CENTOS #
#####################
[SFTPUSER@localhost
.ssh]$ ls -alh
total
8.0K
drwx------. 2 SFTPUSER SFTPGROUP 4.0K
Jul 19 07:36 .
drwx------. 4 root root
4.0K Jul 19 07:35 ..
-rwx------. 1 SFTPUSER SFTPGROUP 0 Jul 19 07:36 authorized_keys
###############################
###############################
##
Re-creating on cDOT 8.2.3 ##
###############################
###############################
#
We already have a Vserver setup, and running NFS and CIFS, with an NTFS
security style rootvol which is used the default export-policy. To check:
#
#
::> nfs show -vserver CIFSV1 -fields access
#
vserver access
#
------- ------
#
CIFSV1 true
#
#
::> cifs show -vserver CIFSV1 -fields status-admin
#
vserver status-admin
#
------- ------------
#
CIFSV1 up
#
#
::> volume show -vserver CIFSV1 -volume rootvol -fields
security-style,policy
#
vserver volume policy security-style
#
------- ------- ------- --------------
#
CIFSV1 rootvol default ntfs
volume
create -vserver CIFSV1 -volume TEST777
-aggregate N1_aggr1 -size 2g -security-style NTFS
volume
mount -vserver CIFSV1 -volume TEST777 -junction-path /TEST777
cifs
share create -vserver CIFSV1 -share-name TEST777 -path /TEST777
-share-properties oplocks,browsable,changenotify -symlink-properties hide
cifs
share access-control delete -vserver CIFSV1 -share TEST777 -user-or-group
Everyone
cifs
share access-control create -vserver CIFSV1 -share TEST777 -user-or-group
"BUILTIN\Administrators" -permission Full_Control
cifs
share access-control create -vserver CIFSV1 -share TEST777 -user-or-group
"NT AUTHORITY\Authenticated Users" -permission change
qtree
create -vserver CIFSV1 -volume TEST777 -qtree FTPSHARE -security-style NTFS
cifs
share create -vserver CIFSV1 -share-name FTPSHARE -path /TEST777/FTPSHARE
-share-properties oplocks,browsable,changenotify -symlink-properties hide
cifs
share access-control delete -vserver CIFSV1 -share FTPSHARE -user-or-group
Everyone
cifs
share access-control create -vserver CIFSV1 -share FTPSHARE -user-or-group
"BUILTIN\Administrators" -permission Full_Control
cifs
share access-control create -vserver CIFSV1 -share FTPSHARE -user-or-group
"NT AUTHORITY\Authenticated Users" -permission change
export-policy
create -vserver CIFSV1 -policyname READONLY
export-policy
rule create -vserver CIFSV1 -policyname READONLY -ruleindex 1 -protocol nfs
-clientmatch 0.0.0.0/0 -rorule any -rwrule never -anon 65534 -superuser none
-allow-suid true -allow-dev true
export-policy
rule create -vserver CIFSV1 -policyname READONLY -ruleindex 2 -protocol cifs
-clientmatch 0.0.0.0/0 -rorule any -rwrule any -anon 65534 -superuser none
-allow-suid true -allow-dev true
volume
modify -vserver CIFSV1 -volume TEST777 -policy READONLY
export-policy
create -vserver CIFSV1 -policyname TEST777_FTPSHARE
export-policy
rule create -vserver CIFSV1 -policyname TEST777_FTPSHARE -ruleindex 1 -protocol
any -clientmatch 10.10.10.64 -rorule sys -rwrule sys -anon 65534 -superuser sys
-allow-suid true -allow-dev true
qtree
modify -vserver CIFSV1 -volume TEST777 -qtree FTPSHARE -export-policy
TEST777_FTPSHARE
unix-group
create -vserver CIFSV1 -name SFTPGROUP -id 12345
unix-user
create -vserver CIFSV1 -user SFTPUSER -id 12345 -primary-gid 12345
name-mapping
create -vserver CIFSV1 -direction unix-win -position 10 -pattern SFTPUSER
-replacement LAB\\MRSFTP
name-mapping
create -vserver CIFSV1 -direction win-unix -position 10 -pattern LAB\\MRSFTP
-replacement SFTPUSER
##################################
#
Setting QTREE NTFS PERMISSIONS #
##################################
See
screenshot
#####################
#
Testing on CENTOS #
#####################
[root@localhost
~]# mkdir /mnt/CM823_FTPSHARE
[root@localhost
~]# mount 10.10.10.246:TEST777/FTPSHARE /mnt/CM823_FTPSHARE
[root@localhost
~]# cd /mnt/CM823_FTPSHARE
bash:
cd: /mnt/CM823_FTPSHARE: Permission denied
[root@localhost
~]# su SFTPUSER
[SFTPUSER@localhost
root]$ cd /mnt/CM823_FTPSHARE
[SFTPUSER@localhost
CM823_FTPSHARE]$ mkdir .ssh
[SFTPUSER@localhost
CM823_FTPSHARE]$ cd .ssh
[SFTPUSER@localhost
.ssh]$ touch authorized_keys
[SFTPUSER@localhost
.ssh]$ ls -alh
total
8.0K
drwxrwxrwx. 2 SFTPUSER SFTPGROUP 4.0K
Jul 19 05:22 .
drwxrwxrwx. 3 root root
4.0K Jul 19 05:21 ..
-rwxrwxrwx. 1 SFTPUSER SFTPGROUP 0 Jul 19 05:22 authorized_keys
#######################################################
#
What if we'd set Domain Admins to Modify only also? #
#######################################################
See
screenshot
#####################
#
Testing on CENTOS #
#####################
[SFTPUSER@localhost
.ssh]$ ls -alh
total
8.0K
drwxrwxrwx. 2 SFTPUSER SFTPGROUP 4.0K
Jul 19 05:22 .
drwxrwxrwx. 3 root root
4.0K Jul 19 05:21 ..
-rwxrwxrwx. 1 SFTPUSER SFTPGROUP 0 Jul 19 05:22 authorized_keys
###############################
###############################
##
Re-creating on cDOT 8.3.1 ##
###############################
###############################
#
N.B. We already have a Vserver setup, and running NFS and CIFS, with an NTFS
security style rootvol which is used the default export-policy
#
To check:
#
#
::> nfs show -vserver SVM01 -fields access
#
vserver access
#
------- ------
#
SVM01 true
#
#
::> cifs show -vserver SVM01 -fields status-admin
#
vserver status-admin
#
------- ------------
#
SVM01 up
#
#
::> volume show -vserver SVM01 -volume SVM01_root -fields
security-style,policy
#
vserver volume policy security-style
#
------- ---------- ------- --------------
#
SVM01 SVM01_root default ntfs
#
#
And what is the current setting for "Display maximum NT ACL Permissions to
NFS Client"
#
#
::> set adv
#
::*> nfs server show -vserver SVM01 -fields ntacl-display-permissive-perms
#
vserver ntacl-display-permissive-perms
#
------- ------------------------------
#
SVM01 disabled
volume
create -vserver SVM01 -volume TEST777
-aggregate NACLU6N1_aggr1 -size 2g -security-style NTFS
volume
mount -vserver SVM01 -volume TEST777 -junction-path /TEST777
cifs
share create -vserver SVM01 -share-name TEST777 -path /TEST777
-share-properties oplocks,browsable,changenotify -symlink-properties hide
cifs
share access-control delete -vserver SVM01 -share TEST777 -user-or-group
Everyone
cifs
share access-control create -vserver SVM01 -share TEST777 -user-or-group
"BUILTIN\Administrators" -permission Full_Control
cifs
share access-control create -vserver SVM01 -share TEST777 -user-or-group
"NT AUTHORITY\Authenticated Users" -permission change
qtree
create -vserver SVM01 -volume TEST777 -qtree FTPSHARE -security-style NTFS
cifs
share create -vserver SVM01 -share-name FTPSHARE -path /TEST777/FTPSHARE
-share-properties oplocks,browsable,changenotify -symlink-properties hide
cifs
share access-control delete -vserver SVM01 -share FTPSHARE -user-or-group
Everyone
cifs
share access-control create -vserver SVM01 -share FTPSHARE -user-or-group
"BUILTIN\Administrators" -permission Full_Control
cifs
share access-control create -vserver SVM01 -share FTPSHARE -user-or-group
"NT AUTHORITY\Authenticated Users" -permission change
export-policy
create -vserver SVM01 -policyname READONLY
export-policy
rule create -vserver SVM01 -policyname READONLY -ruleindex 1 -protocol nfs
-clientmatch 0.0.0.0/0 -rorule any -rwrule never -anon 65534 -superuser none
-allow-suid true -allow-dev true
export-policy
rule create -vserver SVM01 -policyname READONLY -ruleindex 2 -protocol cifs
-clientmatch 0.0.0.0/0 -rorule any -rwrule any -anon 65534 -superuser none
-allow-suid true -allow-dev true
volume
modify -vserver SVM01 -volume TEST777 -policy READONLY
export-policy
create -vserver SVM01 -policyname TEST777_FTPSHARE
export-policy
rule create -vserver SVM01 -policyname TEST777_FTPSHARE -ruleindex 1 -protocol
any -clientmatch 10.10.10.64 -rorule sys -rwrule sys -anon 65534 -superuser sys
-allow-suid true -allow-dev true
qtree
modify -vserver SVM01 -volume TEST777 -qtree FTPSHARE -export-policy
TEST777_FTPSHARE
unix-group
create -vserver SVM01 -name SFTPGROUP -id 12345
unix-user
create -vserver SVM01 -user SFTPUSER -id 12345 -primary-gid 12345
name-mapping
create -vserver SVM01 -direction unix-win -position 10 -pattern SFTPUSER
-replacement LAB\\MRSFTP
name-mapping
create -vserver SVM01 -direction win-unix -position 10 -pattern LAB\\MRSFTP
-replacement SFTPUSER
#
N.B.: The default export-policy in 8.3.X has no rules, hence we create them:
export-policy
rule create -vserver SVM01 -policyname default -ruleindex 1 -protocol any
-clientmatch 0.0.0.0/0 -rorule any -rwrule any -anon 65534 -superuser none
-allow-suid true -allow-dev true
##################################
#
Setting QTREE NTFS PERMISSIONS #
##################################
See
screenshot
#####################
#
Testing on CENTOS #
#####################
[root@localhost
~]# mkdir /mnt/CM831_FTPSHARE_NTACL_DISABLED
[root@localhost
~]# mount 10.10.10.101:TEST777/FTPSHARE /mnt/CM831_FTPSHARE_NTACL_DISABLED
[root@localhost
~]# cd /mnt/CM831_FTPSHARE_NTACL_DISABLED
bash:
cd: /mnt/CM831_FTPSHARE_NTACL_DISABLED: Permission denied
[root@localhost
~]# su SFTPUSER
[SFTPUSER@localhost
root]$ cd /mnt/CM831_FTPSHARE_NTACL_DISABLED
[SFTPUSER@localhost
CM831_FTPSHARE_NTACL_DISABLED]$ mkdir .ssh
[SFTPUSER@localhost
CM831_FTPSHARE_NTACL_DISABLED]$ cd .ssh
[SFTPUSER@localhost
.ssh]$ touch authorized_keys
[SFTPUSER@localhost
.ssh]$ ls -alh
total
8.0K
drwx------. 2 SFTPUSER SFTPGROUP 4.0K
Jul 19 06:03 .
drwx------. 3 root root
4.0K Jul 19 06:03 ..
-rwx------. 1 SFTPUSER SFTPGROUP 0 Jul 19 06:03 authorized_keys
#################################################################
#
Changing the NTACL-DISPLAY-PERMISSIVE-PERMS Switch to ENABLED #
#################################################################
set
adv
nfs
server modify -vserver SVM01 -ntacl-display-permissive-perms enabled
#####################
#
Testing on CENTOS #
#####################
[SFTPUSER@localhost
.ssh]$ ls -alh
total
8.0K
drwxrwxrwx. 2 SFTPUSER SFTPGROUP 4.0K
Jul 19 06:03 .
drwxrwxrwx. 3 root root
4.0K Jul 19 06:03 ..
-rwxrwxrwx. 1 SFTPUSER SFTPGROUP 0 Jul 19 06:03 authorized_keys
#######################################################################
#
Changing the NTACL-DISPLAY-PERMISSIVE-PERMS Switch back to DISABLED #
#######################################################################
set
adv
nfs
server modify -vserver SVM01 -ntacl-display-permissive-perms disabled
#####################
#
Testing on CENTOS #
#####################
[SFTPUSER@localhost
.ssh]$ ls -alh
total
8.0K
drwx------. 2 SFTPUSER SFTPGROUP 4.0K
Jul 19 06:03 .
drwx------. 3 root root
4.0K Jul 19 06:03 ..
-rwx------. 1 SFTPUSER SFTPGROUP 0 Jul 19 06:03 authorized_keys
Comments
Post a Comment