Managing CIFS file permissions

#1

Viewing

getcifsacl <file_name>

The ACLs (Access Control Lists) are structured as

ACL:SID:Type/Flags/Mask

  1. SID
    Identifies the user or group to which the permission applies.

  2. Type

    • ALLOWED
    • DENIED
    • OBJECT_ALLOWED
    • OBJECT_DENIED

  3. Flags

    • OBJECT_INHERIT_FLAG (OI)
    • CONTAINER_INHERIT_FLAG (CI)
    • NO_PROPAGATE_INHERIT_FLAG (NI)
    • INHERIT_ONLY_FLAG (IO)
    • INHERITED_ACE_FLAG (IA)

  4. Mask

    • FULL (view, list, execute, modify, add, delete, modify permissions)
    • CHANGE (view, list, execute, modify, add, delete)
    • READ (view, list, execute)
    • Combination of R W X D P O

Permissions are applied in parallel, i.e. a user receives permissions from all ACLs, with DENIED permission taking precedence over ALLOWED. It is generally recommended to set permissions using ALLOWED rather than DENIED.

Setting

setcifsacl -M "ACL:ROBARTS\CFMM_SG:ALLOWED/OI|CI|I/READ" <file_name>

Will modify the ACL for ROBARTS\CFMM_SG:ALLOWEDto be the new settings of READ only, which will be inherited by all new files within the directory <file_name>. You can also use -a to add a new ACL and -D to delete an existing ACL.

man setcifsacl

will provide addition information on the command.

To avoid rendering your data inaccessible.

  • Do not use of -S which sets the list of ACLs, deleting all existing ACLs.
  • Do not modify ACLs for
    • ACL:BUILTIN\Administrators
    • ACL:NT Authority\SYSTEM
    • ACL:ROBARTS<username>
    • ACL:\Creator Owner
    • ACL:ROBARTS\IT_Centre_SG
    • ACL:ROBARTS\CFMM_Admin_SG

View Group memberships

  1. To view your own group membership
    id
  2. To view members of a group
    getent group <groupnam>
#2

Thanks for digging into this @mklassen. I haven’t tried altering permissions on CBS shares yet, but it certainly looks tricky, not something I would want just any trainee messing with…

Would it be worthwhile creating a friendlier (and safer) interface for setting permissions?

Or is a simpler solution to have a small windows VM just for these tasks where users can more easily alter permissions?

#3

Unfortunately, the normal Windows GUI for setting permissions is among the worst interfaces I have ever used. I am not sure it would be any easier. You have to dig through multiple levels, tabs, and buttons and the descriptions are rather cryptic. If you do not understand ACLs, you can do more harm than good. This may be an advanced user/admin topic only.

There are also still outstanding permission issues, one being that I have been unable to find a way to change the ownership of files/folders, either via Linux or Windows. Although the methods exist on Windows, when attempting to use them they throw an error that the user cannot be changed.