For When You Can't Have The Real Thing
[ start | index | login ]
start > netapp > I Want Root Access To Ignore ACLs

I Want Root Access To Ignore ACLs

Created by dave. Last edited by dave, 10 years and 128 days ago. Viewed 10,847 times. #5
[diff] [history] [edit] [rdf]
labels
attachments
(26 September 2006)

Every so often, you'll be on a a unix box, that mounts data from a filer, that may also be access by a windows host. The windows host may have applied an acl to the data. Then, as root, you'll try to copy, move, or otherwise access this data, only to get access denied. Even as root, on an export that allows root access from the host you are on. What gives?

This is normal. NetApp tries to be more secure then not, so even as root, you have to comply with acl rules. The systems administrator way around this is to set an option on the filer, which allows root to ignore cifs acls.

options cifs.nfs_root_ignore_acl on

Set this option to on, and you are free to transverse any cifs acl with no delays. Use with caution, but if you have root, you probably know what you are doing.

Optional: Don't forget the reverse option (which makes NT admins root):

options wafl.nt_admin_priv_map_to_root on

(>>Source)

Caviat: If you do this, anyone who is a Domain Admin will be mapped to root. So their files will be created by and manipulated by root. This might not be what you want.

Something Else: beware that if you are looking at this through a Windows box accessing a CIFS share, the permissions on the CIFS share have to permit the administrative user to connect before that user can ignore ACLs. In other words: a CIFS share ACL can deny an administrative user access to the filesystem.

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt