One of the most annoying managements tasks of a Network Attached Storage is managing permissions for Windows files. This is even further complicated using systems which allow for work Windows and Unix shares – Such as an EMC Isilon. If you haven’t picked it up by now, i’m a command line guy with a strong unix background – so I don’t like using the windows GUI to control SMB permissions. What I needed was really simple, just to clone permissions (both unix and windows) from one file to another. You can use setfacp/getfacl, but it’s kludgy and deprecated in favor of ls/chmod. So I came up with a simple perl script which can be ran on Isilon to clone permissions easily and quickly. As you can see in the example below permissions get cloned from <source> to <target>.
[box]isilon-1# ls -led source
-rwxrwx–x + 1 root wheel 1580 Mar 20 13:14 source
OWNER: user:root
GROUP: group:wheel
CONTROL:dacl_auto_inherited,sacl_auto_inherited
0: user:DOMAINCincyStorageallow inherited file_gen_read,file_gen_write,file_gen_execute,std_write_dac,delete_child,inherited_ace
1: group:DOMAIN\MY.GROUP allow inherited file_gen_read,file_gen_write,file_gen_execute,std_write_dac,delete_child,inherited_ace
2: everyone allow inherited file_gen_execute,file_read_attr,inherited_ace
isilon-1# ls -led target
-rwxrwx–x 1 root wheel 2276 Mar 20 14:16 target
OWNER: user:root
GROUP: group:wheel
SYNTHETIC ACL
0: user:root allow file_gen_read,file_gen_write,file_gen_execute,std_write_dac
1: group:wheel allow file_gen_read,file_gen_write,file_gen_execute
2: everyone allow file_gen_execute,file_read_attr
isilon-1# perl ./cp_perms.pl source target
isilon-1# ls -led target
-rwxrwx–x + 1 root wheel 2276 Mar 20 14:16 target
OWNER: user:root
GROUP: group:wheel
0: user:DOMAIN\CincyStorage allow inherited file_gen_read,file_gen_write,file_gen_execute,std_write_dac,delete_child,inherited_ace
1: group:DOMAIN\MY.GROUP allow inherited file_gen_read,file_gen_write,file_gen_execute,std_write_dac,delete_child,inherited_ace
2: everyone allow inherited file_gen_execute,file_read_attr,inherited_ace
isilon-1#[/box]
And here is the script. Feel free to play around with it and maybe even extend it to be recursive!
[box]Now it’s time for a short note and small disclaimer. This script works for me in my environment. Do your homework and make this work for you. While I have tried to make this robust and fully functional, it’s important to note “stuff happens”, this is still provides “as is” with no warranty whatsoever. Use at your own risk and all that jazz.[/box]
Comments are closed, but trackbacks and pingbacks are open.