pacl update

By JEFFREY CHARLES D'ANGELO on August 2, 2010 7:13 AM | 1 Comment | 0 TrackBacks

This morning, the PASS Access Control List (pacl) program, which is the permissions program used by PASS Explorer, was altered to implement the following policy:

  • For each Access Control Entry (ACE) in the NFSv4 level ACL:
    • Set the Read Named Attributes permission to match the Read File permission for files or the List Folder permission for folders.
    • Set the Write Named Attributes permission to match the Write File permission for files or the inclusive OR of ( Add File OR Add Subfolder ) permission on folders.
  • Perform this change on every ALLOW ACE in an ACL during any other change to the ACL. DENY ACEs are ignored.
  • A new -correct switch has been added to force this behavior in lieu of other changes.

The reasoning for this includes:

  • The Read Named Attributes and Write Named Attributes permissions are not used by GPFS (thus not used by PASS) to alter the behavior of access control. They can be stored and retrieved later. Previously, they were always left off (cleared).
  • Some clients, in particular Windows 7, check this permission and alter their behavior based on the setting. When attempting to copy a folder from PASS to a local Windows 7 folder, and Read Named Attributes is not granted, a "Folder Access Denied" message appears. Other platforms including Macintosh, Linux and other versions of Windows (except Windows Server 2008r2) do not see this same behavior. Copying individual files or copying a folder in the reverse direction do not meet this issue. When Read Named Attributes are set on the folder, copying a folder from PASS to the local computer do not hit this problem.

In addition, other fixes went in this morning, including:

  • Listing folder permissions will now correctly identify when new files created in the folder will have execute permission.

Penn State full time faculty and staff may read the full technical details of this update on: https://wikispaces.psu.edu/display/PASS/pacl+changes+2010-08.

Our group may proactively correct ACLs in users' spaces prior to the Fall semester to avoid further complications from the copy-folder-from-PASS issue on Windows 7.

Tags:

No TrackBacks

TrackBack URL: https://blogs.psu.edu/mt4/mt-tb.cgi/169146

1 Comment

Author Profile Page JEFFREY CHARLES D'ANGELO | August 25, 2010 10:14 PM | Reply

All ACLs in individual user and group (dept, etc.) spaces in PASS have been updated by last Friday before the semester, August 20.

Leave a comment

Search This Blog

Full Text  Tag

Recent Entries

pacl update
This morning, the PASS Access Control List (pacl) program, which is the permissions program used by PASS Explorer, was altered…
By JEFFREY CHARLES D'ANGELO | Comments (1)
Configuration Change to PASS CIFS Gateways Scheduled for Maintenance Window - 07/15/2010
2 configuration changes due for this Thursday: Address issue with Windows 7 and Windows Server 2008 R2 clients mapping…
By JEFFREY CHARLES D'ANGELO | Comments (0)
Kerberos encryption types augmented
On Wednesday, January 6, 2010, we augmented the list of encryption types supported by the Access Account realm, dce.psu.edu, to…
By JEFFREY CHARLES D'ANGELO | Comments (0)