Sun Microsystems, Inc.  Sun System Handbook - ISO 4.1 October 2012 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-1439485.1
Update Date:2012-07-09
Keywords:

Solution Type  Technical Instruction Sure

Solution  1439485.1 :   Sun Storage 7000 Unified Storage System: Share ACLs vs. File and Directory ACLs  


Related Items
  • Sun Storage 7310 Unified Storage System
  •  
  • Sun Storage 7410 Unified Storage System
  •  
  • Sun ZFS Storage 7120
  •  
  • Sun Storage 7110 Unified Storage System
  •  
  • Sun ZFS Storage 7420
  •  
  • Sun ZFS Storage 7320
  •  
  • Sun Storage 7210 Unified Storage System
  •  
Related Categories
  • PLA-Support>Sun Systems>DISK>NAS>SN-DK: 7xxx NAS
  •  
  • .Old GCS Categories>Sun Microsystems>Storage - Disk>Unified Storage
  •  




In this Document
Goal
Fix


Created from <SR 3-3740498461>

Applies to:

Sun Storage 7110 Unified Storage System - Version Not Applicable to Not Applicable [Release N/A]
Sun Storage 7310 Unified Storage System - Version Not Applicable to Not Applicable [Release N/A]
Sun Storage 7210 Unified Storage System - Version Not Applicable to Not Applicable [Release N/A]
Sun ZFS Storage 7420 - Version Not Applicable to Not Applicable [Release N/A]
Sun Storage 7410 Unified Storage System - Version Not Applicable to Not Applicable [Release N/A]
7000 Appliance OS (Fishworks)

Goal

This document explains differences between share ACLs and file/directory ACLs, and when to use each.

Fix

When initially configuring an SMB share, an ACL can be set on both the protocols page:





... and on the access page:





However, it is important to note that these two types of ACL are entirely different and not exclusive. If both are set, they will be combined, and possibly prevent access to files beyond what was intended.

Generally speaking, most configurations should leave the Share ACL at the default of Everyone/Full Control. With this setting, the Share ACL does not restrict access at all, and all of the access control is handled in the File and Directory ACLs.

Share ACLs are a legacy feature, they predate the ability to put ACLs on every file and directory. They are checked once when the share is mounted, and any operation on any file in the share will be restricted by those permissions. Any file or directory permissions encountered later can only restrict access further.

File and directory ACLs can be configured to grant full access to some files and completely block others, and anything inbetween. They use inheritance and work almost identically to today's Windows and NFSv4 ACLs. These should be used exclusively wherever possible.

However, Share ACLs do have their uses:

  • They can be used for UNIX/Windows interop where all Windows clients have a clearly defined, lesser level of access, usually read-only.
  • Very simple security configurations where all users require the same access. Again, often read-only.
  • In the future, when/if multiple SMB shares per filesystem is possible, a simple security scheme could be created by creating multiple shares with different share permissions.

Attachments
This solution has no attachment
  Copyright © 2012 Sun Microsystems, Inc.  All rights reserved.
 Feedback