[prev in list] [next in list] [prev in thread] [next in thread]
List: toasters
Subject: RE: Cifs administrative access push to the entire qtree
From: "Borzenkov, Andrei" <andrei.borzenkov () ts ! fujitsu ! com>
Date: 2015-09-18 7:19:39
Message-ID: EA0A9DE06C7636429F4D457D45DFE21FD914D9694F () ABGEX70E ! FSC ! NET
[Download RAW message or body]
> >
> > You could try setting inheritable ACE on top-level directory. As
> > long as users did not add explicit Deny entries or did not block
> > inheritance it should suffice. Note that explicit denials always
> > override explicit grants, so just adding ACE may not be sufficient
> > anyway.
> >
>
> I don't know whether they did anything explicitly. Unfortunately it
> doesn't let us see any permissions or settings. My account is a domain
> admin and I'm also in the administrators group on the filers.
>
You can use "fsecurity show" on filer to dump current ACL. Could you paste example \
for one of inaccessible files?
Did you try setting top-level inheritable ACE? It should not override any ACL on \
contained files.
> We looked into this, but not having permissions to a variety of sub-
> directories the icacl command doesn't see into these directories. We
> could try to force permissions down the trees, but even if it works,
> we're potentially adding or removing access to groups currently being
> hidden. We're reluctant to blindly do this.
>
>
>
>
>
> > But it may not work if access to folders/files is blocked. In this
> > case it is possible to create task that runs as e.g. SYSTEM to do it.
> >
>
> Would you elaborate on this? Where would this job run from and how
> would it end up with access?
>
Sorry, I was wrong here. It is possible to do it on Windows (running job as SYSTEM \
account) but of course it won't help when accessing something over network.
_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic