Well, whether you use traditional POSIX permissions or ACLs, you'll be using chmod
on Solaris. I would suggest you use ACLs in this case. You'll have to apply the ACL separately to each file system in the tank storage pool. I suggest setting the aclmode
and aclinherit
properties of each filesystem to passthrough
as well.
I think it's preferable to set the ACLs on the Solaris side of things instead of doing it through windows.
Basically it would look something like:
chmod -R A=\
group:suDevelopers:full_set,\
group:sysadmins:full_set,\
/tank/projects
chmod -R A=\
group:suDevelopers:full_set:allow,\
group:suStaff:full_set:allow,\
group:suContractors:full_set:allow
/tank/storage
chmod -R A=everyone@:full_set:allow /tank/sandbox
and etc as necessary. You can also use read_set
for read-only permissions.
There's a lot of other ways you can cut things with ACLs, they're an extremely powerful system on Solaris. You can read man chmod
and man zfs
for details.
There's also this article which gives some further examples.
Also make sure you are using /usr/bin/chmod
instead of /usr/gnu/bin/chmod
which I believe is the default.
ls -e
Print the Access Control List (ACL) associated with the file, if present, in long (-l) output.
this gives a result such as...
drwxr-xr-x@ 19 localadmin 646B Aug 4 00:21 APPBUNDLE
0: user:localadmin allow add_file,add_subdirectory,writeattr,writeextattr,writesecurity
⬆ ⇧ ⇶ ⬆
Personally, I have "exports" in my ~/.bash_profile
export FILE_ALL="read,write,append,execute,delete,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown"
export DIR_ALL="list,search,add_file,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown"
that make such a chmod
possible...
sudo chmod +a "allow localadmin $DIR_ALL" /APPBUNDLE
From the chmod
man page, there is this bit of info... that hints that it may indeed be possible to do something like you describe..
"ACLs are manipulated using extensions to the symbolic mode grammar. Each file has one ACL, containing an ordered list of entries. Each entry refers to a user or group, and grants or denies a set of permissions. In cases where a user and a group exist with the same name, the user/group name can be prefixed with "user:" or "group:" in order to specqify the type of name."
chmod -E
Reads the ACL information from stdin, as a sequential list of ACEs, separated by newlines. If the information parses correctly, the existing information is replaced.
Also, I'll give a shout out to BatchMod, an oldie, but a goodie for ACL's, as well as TinkerToolSystem.
Best Answer
Note: the following is from a Solaris system, but the results should also work on BSD (where you need to use
getfacl
/setfacl
instead ofls
/chmod
).The default permissions of a newly created (text) file are:
If you use
chmod 0770 /path/to/file
, you will get:Essentially, execute (x) is added for owner and group, read (r) is removed from everyone, and write (w) and append (p) are added to group.
For a directory, it looks as follows:
And after modification:
Here, read (r) and execute (x) are removed from everyone, while owner and group have the same permissions as in the file case, although with added delete_child (D) permission (this comes from being a directory).