From: Harihar Krishnan (harik@bma.gov.bh)
Date: Wed Sep 01 2004 - 07:09:38 EDT
I got the solution for this tricky problem thanks to Dan Goetzman.
Harihar K
=======================================================
-----Original Message-----
From: Dan Goetzman [mailto:dan_goetzman@bmc.com]
Sent: Tuesday, August 31, 2004 9:27 PM
To: Harihar Krishnan
Subject: Re: ASU permissions and Unix folders...
Harihar,
I almost forgot to reply to this...
Looks like chacl is found at: /usr/sbin/chacl on my system.
copy/paste the following from my notes;
Reset a objects ACL using Unix command line
If the ACL entries are removed from a object, or set to certain values,
then you will no longer be able to use the "net perm" command to change
the ACL on a given object. To fix this use the ASU command "chacl" to
either add back the ACE "Everyone=FullControl" or change the existing
ACE for "Everyone" back to "FullControl".
* Add a ACE if there is not any existing ACE for "Everyone"
chacl -G rwaxdgsGSDcpoY:S-1-1-0 /bmc/export/...
* Change the existing ACE for "Everyone" to "FullControl"
chacl -N rwaxdgsGSDcpoY:S-1-1-0 /bmc/export/...
Please note:
1. rwaxdgsGSDcpoY are the permission bits for "FullControl"
2. S-1-1-0 is the SID for the "Everyone" special group
That should do it. The first command will add a ACE for Everyone if it
does not exist. The second one is used to modify a existing ACE for
Everyone.
Later...
Dan
Harihar Krishnan wrote:
> Hi Dan,
>
> Thanks for your prompt reply. However, I have not used "chacl" earlier
> and
> could not find a relevant example on the Internet. Can you specify the
> command format, if I need to give all the permissions (rwcxdap) to the
> "Administrators" group please? Appreciate your help in this regard.
>
>
> Harihar
> =========================================================
> -----Original Message-----
> From: Dan Goetzman [mailto:dan_goetzman@bmc.com]
> Sent: Monday, August 30, 2004 3:35 PM
> To: Harihar Krishnan
> Subject: Re: ASU permissions and Unix folders...
>
>
> Hello Harihar,
>
> Yes, I have done this very same thing. Now I leave the "SYSTEM" acl so
> that I will always be able to admin acl's on a object. Remember, a
> "share" is just a "view" on a section of the filesystem tree, while
> setting the acls on the file system path is global (that is why you are
> able to remove access to a share ok, but removing access to the real
> path is a problem).
>
> Anyhow, there may be more than one way to fix this. I have used the ASU
> unix command line tools to add back a acl for system. "net perms" will
> not work as you need permission via the missing acl to do this. I think
> the command I used was "chacl" (or something) to actually add a acl back
> into ASU for system on the object in question. I think you have to know
> the SID number for the account (look a another object that has the acl
> you want) and I think the permission is given in a long character mask.
> Refer to the man pages. I have some notes written down somewhere on this
> as I use it from time to time.
>
> I think that I simply added "everyone" as "full_control" and then used
> the "net perms" command to add the SYSTEM acl back and then change
> "everyone" back to a more reasonable value. The "everyone" sid is always
> the same.
>
> I hope this helps...
> Dan
>
=============================================================
ORIGINAL QUESTION:-
Dear ASU experts,
When requesting share permission information using "net access" or "net
perms" (we have Compaq Advanced Server V5.1A ECO3 for UNIX), I have noticed
some shares and Unix folders having permissions for "Server Operators" and
"SYSTEM". I wish to know what happens if I remove these from the Unix
folders.
I have already tried this on one of our shares. The result was that I am
able to continue granting and revoking users/groups on this share, but once
I do it on the relevant Unix folder, I CANNOT grant/revoke ANY user/group to
that folder anymore, even if I am logged into ASU under Unix as the domain
Administrator (we currently have the ASU server as part of an NT domain but
soon we will be migrating to MS Active Directory 2003).
Can someone please throw some light on what has gone wrong and how I can
retrieve the affected folders? Thanks in advance.
Harihar K
===========================================================================
DISCLAIMER:
“This communication is intended solely for the named recipient and others
authorized to receive it. It may contain confidential or legally privileged
information. If you are not the intended recipient, please notify us
immediately, and note that any disclosure, copying, distribution or action
you may take in reliance on this communication is strictly prohibited and
may be unlawful. Unless indicated otherwise, this communication is not
intended nor should it be taken to create any legal relations, contractual
or otherwise. Bahrain Monetary Agency(BMA) is neither liable for the proper
and complete transmission of the communication, nor for any delay in its
receipt. Whilst BMA undertakes all reasonable efforts to screen outgoing
e-mails for viruses, it cannot be held liable for any viruses transmitted by
this e-mail.”
===========================================================================
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:50:07 EDT