buzz> cd / buzz> touch foo buzz> setfacl -r -m u:karen:rwx foo buzz> su karen buzz> id uid=1234(karen) gid=200(staff) buzz> ls -l foo -rw-r--r--+ 1 root other 0 Apr 30 11:35 foo buzz> echo "bar" > foo buzz> ls -l foo -rw-r--r--+ 1 root other 4 Apr 30 11:36 fooHere's an entry from a similar blog describing getfacl/setfacl usage on Solaris. Red Hat usage is similar, except: # There's no -r flag, because recalculation is implicit # Partial default ACLs are allowed. (You can set a default user, for example, without having to set defaults for group, other and mask.)
Wednesday, April 30, 2008
ACLs are enabled by default in Solaris 2.9
... and probably earlier. This says ACLs were "integrated" into 2.5 back in 1995, which might explain why they're finicky in 2.9.
Anyway, I don't want to look this up again and won't believe myself next time it matters, so here I am using ACLs in / on 2.9, where I wouldn't have enabled them on purpose.
Thursday, April 24, 2008
pvscan and lvcreate
Working with disks on RedHat LVM...
- Create a new ext3 FS where room already exists on a physical volume. (RH4)
[root@here /]# pvscan PV /dev/sdb1 VG prod_dg lvm2 [273.22 GB / 139.44 GB free] PV /dev/sda2 VG rootdg lvm2 [134.66 GB / 106.06 GB free] Total: 2 [407.88 GB] / in use: 2 [407.88 GB] / in no VG: 0 [0 ] [root@here /]# lvcreate --size 5G -n homeVol -t rootdg # Minus t for "test" Test mode: Metadata will NOT be updated. Failed to activate new LV. [root@here /]# lvcreate --size 5G -n homeVol rootdg Logical volume "homeVol" created [root@here /]# mkfs.ext3 -b 1024 -T ext3 /dev/rootdg/homeVol mke2fs 1.35 (28-Feb-2004) Filesystem label= OS type: Linux ... [root@here /]# vi /etc/fstab # add new FS [root@here /]# mount /home [root@wcidb1 etc]# df -T ... /dev/mapper/rootdg-homeVol ext3 5159385 11824 4885417 1% /home
- Free space from the root filesystem (from notes taken while watching someone else -- incomplete and not tested!) - Boot from a rescue CD - ? fdisk -l -- look for "Linux LVM" and note the device path - ? Find out what VG is on that device: pvscan - Find out what LV the root filesystem is on: lvscan - Make the filesystem smaller than the new LV size: resize2fs /dev/whatever newsize, with K/G/M trailer - Activate the LV: lvm lvchange -a y /dev/whatever - Shrink the LV: lvm lvreduce --size -1G --resizefs /dev/whatever
Wednesday, April 9, 2008
Cyrus IMAP permissions
Full access to a Cyrus mailbox is "lrswipcda", as in setacl user/jqpublic jsixpack lrswipcda. This allows Joe Sixpack to map John Q Public's folder and change it any way he sees fit, including granting access to yet more users.
Occasionally, Human Resources or a successor needs access to a former employee's mailbox. A better set of permissions for this case is simply "lr", allowing list and read access while preventing changes.
To revoke permissions, issue a setacl command with empty quotes in place of the privilege flags: setacl user/jqpublic jsixpack "" . Mail clients that present an Other Users folder should remove that folder after this change, but the client might need a restart.
The privilege flags are:
* (l) Lookup (mailbox visible to # LIST/LSUB/UNSEEN)
* (r) Read (SELECT, CHECK, FETCH, PARTIAL, SEARCH, COPY source)
* (s) Seen (STORE \SEEN)
* (w) Write flags other than \SEEN and \DELETED
* (i) Insert (APPEND, COPY destination)*
* (p) Post (send mail to mailbox)
* (c) Create and Delete mailbox (CREATE new sub-mailboxes, RENAME or DELETE mailbox)
* (d) Delete (STORE \DELETED, EXPUNGE)
* (a) Administer (SETACL)
Privilege flags sectioncribbed adapted from Wil Cooley's presentation at http://nakedape.cc/info/Cyrus-IMAP-Intro/ .
Occasionally, Human Resources or a successor needs access to a former employee's mailbox. A better set of permissions for this case is simply "lr", allowing list and read access while preventing changes.
To revoke permissions, issue a setacl command with empty quotes in place of the privilege flags: setacl user/jqpublic jsixpack "" . Mail clients that present an Other Users folder should remove that folder after this change, but the client might need a restart.
The privilege flags are:
* (l) Lookup (mailbox visible to # LIST/LSUB/UNSEEN)
* (r) Read (SELECT, CHECK, FETCH, PARTIAL, SEARCH, COPY source)
* (s) Seen (STORE \SEEN)
* (w) Write flags other than \SEEN and \DELETED
* (i) Insert (APPEND, COPY destination)*
* (p) Post (send mail to mailbox)
* (c) Create and Delete mailbox (CREATE new sub-mailboxes, RENAME or DELETE mailbox)
* (d) Delete (STORE \DELETED, EXPUNGE)
* (a) Administer (SETACL)
Privilege flags section
Subscribe to:
Posts (Atom)