For When You Can't Have The Real Thing
[ start | index | login ]
start > netapp > Mixed Mode Filesystems Suck

Mixed Mode Filesystems Suck

Created by dave. Last edited by dave, 3 years and 204 days ago. Viewed 11,424 times. #5
[diff] [history] [edit] [rdf]
labels
attachments

Problem

Mixed-mode file systems suck.

You'll have to be a bit more specific.

Someone applied a CIFS ACL to a directory tree in a mixed mode filesystem and now the unix permissions are not usable.

Specifically: there was a requirement to deny a Windows user (and by extention, the same unix account) from access to a directory tree. So in Windows we brought up the Security tab for this top-level directory, added the Windows account, set it to Full Control: Deny, then clicked OK. Windows went off into space for a brief time, and now unix users cannot access files in this tree.

Examining the ownerships on the files in question (deep in the hierarchy structure) reveal modes and ownerships as 777 root:other.

As we all know, when an ACL contradicts the unix ownerships and permissions, the filer stamps 777 root:other on the file or directory, which is confusing because the access which is indicated (full control for everyone) is not what you get (which is controlled by the ACL plus the filer's inability to map windows users and groups to unix users and groups. In all likelyhood it won't get it right and revert to the deny-by-default security (which is sound security practice, but frustratingly inconvenient when it prevents users from getting at the things they need to get at).

Solution

You're boned unless you can go back in time and set things up so that PC users use NTFS-mode and unix users use unix-mode.

If you have backups, you can restore them either to a tree to use as a reference (see below) or (if you are seriously boned) over-top of the messed up tree.

If-You-Feel-Lucky Recovery process if you have a reference tree

If you have a snapshot directory that has your files in it at a point which predates your mistake, you can use that as a reference to stamp ownerships and permissions back on the live tree.

This also presumes that the system you are working from has permissions to mount the file system as root. And it the secret >>make-root-really-root setting on the filer being set will help as well.

This will recover the unix permissions and eliminate the ACLs on the files. Sing along: this will eliminate the ACLs on the files. Removing the ACLs may bone you in other ways; your mileage may vary. In our highly specific case we were significantly less boned by having this user access the tree than we were with none of the engineers accessing the tree.

First, you need this script (called /tmp/philter in our example) and make sure it is executable:

#!/usr/bin/perl
$mode=shift @ARGV;
$owner=shift @ARGV;
$group=shift @ARGV;
$file="@ARGV";
print "chown $owner:$group '$file';chmod $mode '$file'\n";

Now go to the snapshot (in our case, $ROOT/.snapshot/nightly.2) and do this:

# find . -exec stat --format='%a %U %G %n' '{}' \;  | sed -e 's/^/\/tmp\/philter/' >> /tmp/phix

This took a long time (about an hour) to run on a tree with 300,000 directories and files in it. Eventually it should leave a file, /tmp/phix, filled with lines like this:

chown user:group './Documents/Architecture/rpe/rpe_sram_estimate.xls'; chmod 644 './Documents/Architecture/rpe/rpe_sram_estimate.xls'

Now if you are brave, you can change to the root of the affected directory tree and run this file through a shell and it should try to correct the ownerships and modes of the files on the filesystem:

$ cd $ROOT
# bash /tmp/phix

This runs surprisingly quickly.

Things this process will not deal with:

  • File names that start with the ~ character; however these files are usually temporary files created by Microsoft Word and therefore are harmless if they have ACLs on them.
  • username UNKNOWN and/or group nogroup. Again, these didn't have ownerships or groups set properly originally, so you'll probably be OK.
That's all we detected this time through.
no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt