Re: tar or zipping files to which you have no explicit access?
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 03/13/04
- Next message: Barney: "Re: netsh"
- Previous message: David Wang [Msft]: "Re: netsh"
- In reply to: Tom Rodman: "tar or zipping files to which you have no explicit access?"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 12 Mar 2004 16:38:52 -0800
o eventually there will be users that violate the rules, and or insist
that they be allowed to do so. This can get
political - you can not / will not always win political skirmishes.
System admins are not always treated like gods by management.
But every system admin should know that management is just deluding
themselves. If you are root, you hold the keys and there's really nothing
that management can do about that. ;-)
o IMHO users may have a valid reason for *not* granting the administrators
access to an object. Why should they be forced to? Our users are
software developers, perhaps they need to have very strict permissions
for code test cases. End users deserve respect, they pay for us with
their work.
Sure, that is supported by NTFS -- except that users should know that it is
not possible to hide anything from Administrators. Administrators, by
default, can access anything, even things they do not have permission to.
o This attitude that user's should not be able to permissions to objects
they own to what ever they want is IMHO arrogant, arrogant consistent
with the worst of "Microsoft culture". In contrast UNIX has no such
constraints - tools exist for "root" to backup all objects to a non-tape
archive regardless of their permissions or acls.
Huh? I'm running as a normal, unprivileged user, and I can set whatever
permissions I want to objects I own -- no restrictions. I think the problem
is with your ACL setup, where your users do not actually own the resources.
If one cannot set up ACLs to work the way he/she want, I would start looking
at the mirror, not blame Microsoft for supposed arrogance, etc...
I think the issue is that the open source tools are not using the privileges
(openly documented) that you are setting. NTBackup does.
o NTFS has an incredibly rich permissions capability - more so than UNIX.
To insist that administrators or system have full control to every
object "dumbs down" this richness and seems to contradict it's design.
I think that the richness of NTFS and Windows Access Control confuses *nix
users into applying a dumbed down contradiction to actual design.
Administrators have the necessary privilege can implicitly obtain control to
any object on the system without being explicitly ACLd to anything. Local
System has the same privilege.
Personally, I think that you need to set up ACLs that include full control
to CREATOR_OWNER, and then you'll start seeing some improvement in behavior.
Despite the richness of NTFS, depending on the shackles that arbitrary
applications place on the system, one may not have any options... and I
think it's the fault of the arbitrary application at removing all the
options that the OS provided.
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Tom Rodman" <Use-Author-Address-Header@[127.1]> wrote in message
news:200403121005.i2CA5ChC023555@tigris.pounder.sol.net...
How can we "zip up" or tar
users' directories to a single archive file. We
do NOT want to limit the access rights end users can assign to their
objects. After archiving the objects into to a single
tar or zip file we want to be able to restore them preserving
original ownership and ACLs.
We've tried granting ourselves the right to
"backup files and directories"
"restore files and directories"
The show-stopper has been "Permission denied" errors on files
for which we have no access rights - these could not be added to
the tar archive.
We're looking for a no cost solution using our free open source tools. My
guess is the solution involves granting the process
creating the backup file archive the proper rights.
Clearly ntbackup can do this- but it only archives to tapes;
if ntbackup could archive/restore to/from a file that would be
fine - but it can not.
why we do not want to restrict the permissions our end
users assign to their own objects:
o eventually there will be users that violate the rules, and or insist
that they be allowed to do so. This can get
political - you can not / will not always win political skirmishes.
System admins are not always treated like gods by management.
o IMHO users may have a valid reason for *not* granting the administrators
access to an object. Why should they be forced to? Our users are
software
developers, perhaps they need to have very strict permissions for code
test
cases. End users deserve respect, they pay for us with their work.
o This attitude that user's should not be able to permissions to objects
they own to what ever they want is IMHO arrogant, arrogant consistent
with the worst of "Microsoft culture". In contrast UNIX has no such
constraints - tools exist for "root" to backup all objects to a non-tape
archive regardless of their permissions or acls.
o I can give you a specific example where a production database requires a
all objects below a given directory have an explicit ACL value
that does *not* include system or administrators. If an object is
changed to include either of the above groups, then the application
will not work- at some point it will self repair by resetting all
the permissions on the tree so that these groups are removed.
o another example is cygwin's ssh client, for each ssh end user, their
$HOME/.ssh/ dir should be set for access *only* by the user, no access -
not
even read or execute to anyone else. I may not be entirely correct
on this one, but I know the permissions on ~/.ssh/ are quite strict
by design (it's a "secure shell" after all).
o NTFS has an incredibly rich permissions capability - more so than UNIX.
To insist that administrators or system have full control to every
object
"dumbs down" this richness and seems to contradict it's design.
Any help would be appreciated; pls post *and* also e-mail me.
thanks/regards,
--
Tom Rodman
pls run this for my e-mail address:
perl -e 'print unpack("u", "\.\=\$\!T\<F\]D\;6\%N\+F\-O\;0H\`");'
- Next message: Barney: "Re: netsh"
- Previous message: David Wang [Msft]: "Re: netsh"
- In reply to: Tom Rodman: "tar or zipping files to which you have no explicit access?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
