I have a NetApp filer, with a CIFS export. The permissions have been locked down on it, to a point where it's no longer accessible. I need to reset the permissions on this - I've figured out I can probably do this by changing the qtree to Unix security mode and back again (provided I'm prepared to unexport the share temporarily).
我有一個NetApp filer,有CIFS導出。權限已經被鎖定到無法訪問的程度。我需要重新設置它的權限——我已經發現,我可以通過將qtree更改為Unix安全模式,然后再返回(如果我准備暫時取消這個共享的話)來實現這一點。
However, I think I should be able to use the fsecurity command to do this. There's just one problem - the manpage example refers to 'applying ACLs from a config file': https://library.netapp.com/ecmdocs/ECMP1196890/html/man1/na_fsecurity_apply.1.html
但是,我認為我應該能夠使用fsecurity命令來實現這一點。這里只有一個問題——manpage示例指的是“從配置文件中應用acl”:https://library.netapp.com/ecmdocs/ECMP1196890/html/man1/na_fsecurity_apply.1.html
But what it doesn't do, is give me an example of what a 'security definition file' actually looks like.
但它沒有做的是給我一個“安全定義文件”的例子。
Is anyone able to give me an example? Resetting a directory structure to Everyone/Full Control is sufficient for my needs, as re-applying permissions isn't a problem.
有人能給我舉個例子嗎?將目錄結構重置為Everyone/Full Control就足夠了,因為重新應用權限不是問題。
1 个解决方案
#1
1
Create a conf file containing the following:
創建一個包含以下內容的conf文件:
cb56f6f4
1,0,"/vol/vol_name/qtree_name/subdir",0,"D:P(A;CIOI;0x1f01ff;;;Everyone)"
Save it on your filer somewhere (example in manpage is /etc/security.conf).
將它保存在您的文件文件中(例如在manpage中是/etc/security.conf)。
Run:
運行:
fsecurity show /vol/vol_name/qtree_name/subdir
fsecurity apply /etc/security.conf
fsecurity show /vol/vol_name/qtree_name/subdir
This will set Everyone / Full Control: inheritable. Which is a massive security hole, so you should now IMMEDIATELY go and fix the permissions on that directory structure to something a little more sensible.
這將設置每個人/完全控制:可繼承。這是一個巨大的安全漏洞,所以您現在應該立即將該目錄結構上的權限修復到更合理的程度。
You can get create more detailed ACLs using the 'secedit' utility, available from NetApp's support site. But this one did what I needed it to.
您可以使用NetApp的支持站點上的“secedit”實用程序創建更詳細的acl。但是,這個人做了我所需要的。