Tuesday – March 24

Home directory permissions issues.

Found: How to display the security permissions of a file from the filer which mentions the fsecurity command. Also found the white paper Bulk Security Quick Start Guide. Information about the Security Descriptor Definition Language SDDL at MSDN. From a comment on that page, I found Mark Minasi’s newsletter describing the SDDL syntax.

After poking at a few things with SubInACL.exe, I used the secedit utility from NetApp to create a security job file.

I created a new file, added a location”/vol/testvol”, then added the BUILTIN\Administrator user with Full Control. This generated a file containing the following:

cb56f6f4
1,0,"/vol/testvol",0,"D:(A;CIOI;0x1200a9;;;Everyone)(A;CIOI;0x1f01ff;;;builtin\administrators)"

The instruction are specific that you can’t remove the “Everyone” ACE, which is exactly what I wanted to do. So I edited the generated text file to remove that ACE, resulting in the following:

cb56f6f4
1,0,"/vol/testvol",0,"D:(A;CIOI;0x1f01ff;;;BUILTIN\Administrators)"

The command fsecurity apply /vol/path/to/file appears to have corrected the permissions just fine. I edited the file’s location to another affect volume and that worked as well.

Geoff
Sr. System Administrator at the University of Vermont

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.