sean finney on Mon, 3 Feb 2003 19:27:15 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Moving a lot of user accounts


On Mon, Feb 03, 2003 at 10:47:03AM -0500, Brian Epstein wrote:
> > I disagree. The right solution to that problem is file access
> > control lists, which can be managed by the users entirely without
> 
> Well, we'll have to agree to disagree, then.  ACLs don't work the same 
> across OSs, or across filesystems.  And in general, most SAs wouldn't 

yes and no.  they aren't necessarily implemented the same on every fs
(though there is a POSIX standard towards which all are moving, ext2/3
patch is alreadyt there, don't know about others), but if you're exporting
the file system over nfs, the rpc routines are the same.  thus a solaris
box with ACL's set on it could provide ACL'able files to any client OS
over NFS as long as the client speaks ACL's in NFS.  unfortunately, that
ain't in linux without a patch yet, don't know about the BSD's.

> across OSs, or across filesystems.  And in general, most SAs wouldn't 
> know a filesystem ACL if they tripped over one.  They are not obvious 
> in most situations like file permissions.

i think that's a rather broad generalization, yo.  acl's are extensively
used in both the windows network of my college and the unix-based network
of my computer science dept (for the latter i am a student SA)

> And Bob should not be added to Alice's.  A new group should be created 
> and Bob and Alice should be added to that new group.

yeah, but the problem with that is it requires the SA to create these
groups.  imagine an academic environment, where users pair off with
different partners every week for a project.  we used to make groups
for them, but first of all, it requires our time and privs, and it's
a huge headache to keep track of which groups can be safely deleted
and when you delete them, you have to worry about stranding files
that no longer belong to any group.

acl's on the other hand can be created and deleted by users, and give
them much more control over what can and can't be done with their files.
the biggest problem we had is that setfacl and getfacl for solaris has
a god-awful commandline syntax that scares away most folks.  attached is
a solution that i wrote to it my sophomore year at swat after having been
a sysadmin for only 4 or 5 months (and using any kind of unix for about a year
past that), mind you.

> For example, Bob and Alice need to edit web pages.  First we create a 
> new group called "web" in /etc/group, and add Bob and Alice to this 
> group.

not quite correct.  bob and alice need to edit web pages.  they send
an email to the SA, asking "please create this group for us, we need
to edit web pages".  the SA, when he/she has time to get around to it
(when not busy actually doing _real_ administration) will create the
group, and then give them instructions on how they can ensure they
can read/write eachother's files. 

with acls, the sysadmin never has to be bothered, and alice and bob
don't have to wait before getting started.  furthermore, with the help
of a script such as the attached, they don't even have to know about
arcane command lines or r'ing tfm.

> Yeah, right.  How many users have you been able to educate without the 
> use of a LART?

use a system that lets them do it without any help, write a script they
can run that does it for them, have the script tell them how to do it
without the help of the script.  see attached.

> > systems (XFS and AFS). ACLs mean that I, as the sysadmin, need not
> > be involved for users to share files. Clearly, there's no reason I
> 
> Heheheh, I would love to work where you work.  I'd like to meet a user 
> who understands ACL's well enough to use them.

see attached, or send an email to local-staff to talk to some of the
sys-admins.  i can't profess to how many of the student users currently use
acl's but i'd guess that the majority of first year students have used
this script at one point or another.


	sean
#!/bin/sh
#easysetfacl.sh
#an interactive script to simplify setfacl
#made by seanius, 1/24/2000
#modified 1/25/2000:
#      -prettied up the test for $PERMS
#      -also fixed problem allowing blank inputs
#modified 05/01/2001:
#      -allowed for multiple users to be entered
#modified 2002-09-17     21:17 EDT
#      -fixed a bug (USERLIST instead of USERS)

echo "user(s) with whom you'd like to share (seperate them with spaces): "

read USERS
USERLIST=`echo $USERS | sed -e 's/[ 	][ 	]*/,/g'`

RESULT=`listusers -l $USERLIST 2>&1 | grep -v " was not found"`
while [ -z "$RESULT" ] || [ ! "$USERS" ]; do
   echo "sorry, at least one user in \"$USERS\" was not found.  try again";
   printf "user(s): "
   read USERS
   USERLIST=""
   for EACH_USER in $USERS; do
	USERLIST=$USERLIST","$EACH_USER
   done
   USERLIST=`echo $USERLIST | sed -e 's/^,//'`
   RESULT=`listusers -l $USERLIST 2>&1 | grep -v " was not found"`
done

echo "okay, now enter permissions you'd like to give to"
echo $USERLIST | sed -e 's/,/, /' | sed -e 's/\([a-z][a-z]*\)$/ and \1/'
echo "(read = 4, write = 2, execute = 1 nothing = 0)"
echo "example: if you want to share something as both"
echo "readable and executable, but don't want someone"
echo "to be able to overwrite it, you want 5 (4 + 1)\n"
printf "so what's it gonna be?: "
read PERMS
while [ `echo $PERMS | sed s/[0-7]//` ] || [ ! "$PERMS" ]; do 
   echo "sorry, you need to enter an integer from 0-7";
   printf "try again: "
   read PERMS
done     

echo "\nand now, the file(s) you'd like to share (type -LIST for a list): "
echo "(and yes, expressions like '*' are allowed)"
read FILE NULL
if [ "$FILE" = "-LIST" ]; then ls; printf "file: "; read FILE NULL; fi

ACL_LIST=""
for EACH_USER in $USERS; do
if [ -z "${ACL_LIST}" ]; then ACL_LIST="user:$EACH_USER:$PERMS" 
else ACL_LIST=$ACL_LIST",user:$EACH_USER:$PERMS"; fi
done

echo "the command you want is: "
CMD="setfacl -r -m ${ACL_LIST} $FILE"
echo $CMD
echo "shall I do this for you? (y/[n])"
read YESORNO
case $YESORNO in
   "n") echo "fine, I won't :)";;
   "y") exec $CMD;;
esac
exit 0;

Attachment: pgpyen3ajUm1h.pgp
Description: PGP signature