Files, ACL, security

- ext4 ?
- xfs ?


getfacl file1                           # read permissions
setfacl -m u:andy:rw  file1             # -m = modify: give (a secondary user) named andy read/write access to file1
setfacl -m g:admin:rw file1             # g for secondary group, here a group named admin, get rw access
setfacl -x u:andy     file1             # -x = remove permissions

directory can have default acl set so that all files within it will inherit such acl automatically.  use "d" to specify it as default settings.  eg

setfacl -m d:g:admin:rw  dir1


So, not only DOS has attributes for files! Linux does too! It is another layer over what chmod provides! These attributes are supported starting from ext2.
getattr 	/path/to/file			# list file attributes
chattr  =i 	/path/to/file			# change, ie set, file attributes to immutable
sudo chattr -i 	/path/to/file			# only CAP_LINUX_IMMUTABLE user can remove the immutable flag!

        select the new attributes for the files: 
	append only (a), 
	compressed (c), 
	no dump (d), 
	extent format (e), 
	immutable (i), 
	data journalling (j), 
	secure deletion (s), 
	no tail-merging (t), 
	undeletable (u), 
	no atime updates (A),
       	synchronous directory updates (D), 
	synchronous updates (S), 
	top of directory hierarchy (T).

       	The following attributes are read-only, and may be listed by lsattr(1) but not modified by chattr: 
       	huge file (h),  
	compression error (E), 
	indexed directory (I), 
	compression raw access (X), 
	compressed dirty file (Z).


FS on portable drives, eg thumbdrive
or OS install, the mess of UEFI...

parition type      mkfs          linux    win10    mac     notes
---------------    ---------     -------  ------   ------  --------------------
 c: fat32 (LBA)    -t vfat       yes      yes      yes     max file size 4GB
ef: EFI FAT-12
 7: exFAT          -t exfat      no       yes      ?
 7: NTFS           
 7: HPFS
    BIOSboot                                              partition needed in BIOS mode boot for system with UEFI?
    bios...                                               /boot      [debian use xfs]
    efi...                                                /boot/efi  strictly FAT here

SystemD, NetworkManager

SystemD has a ProtectHome clause, which NetworkManager set to read-only.
This results in /home cannot be renamed or deleted, as it will result in "Device or resource busy"
lsof, fuser don't report any process actually hogging /home?

grep -r  ProtectHome /usr/lib/systemd  

also see ProtectSystem=true


# cmd.mount.ref
# this file will contain all commands in relation to filesystem manipulations.
# eg mount, fsck, etc.

# some originally from cmd.admin.ref
# need to do some clean up and splitting...

amq			show currently automounted drv (from amd suit)
mount		show mouted partitions (root mount new ones too)

mount	-t nfs server:/path	/mnt/point		#linux
mount 	-F nfs server:/path	/mnt/point		#solaris

mount 	-o remount,suid 	/mnt/point		# "remount" a fs, so as to set new mount options
							# should be able to remount ro fs as rw


/etc/dfs/dfstab		Solaris, eg:

share -F nfs -o ro -d "tin-sun /mnt/cdrom" /mnt/cdrom
share -F nfs -o ro -d "tin-sun vold /cdrom" /cdrom/cdrom0
#share -F nfs -o ro -d "tin-sun vold /cdrom" /cdrom/sol_10_305_sparc      # don't work for OS cd
share -F nfs -o ro -d "tin-sun vold /cdrom s0" /cdrom/sol_10_305_sparc/s0 # need to export each slide separately
share -F nfs -o ro -d "tin-sun vold /cdrom s1" /cdrom/sol_10_305_sparc/s1 # as they are mounted separately.

solaris :
mount -F  servername:/exportName  /mount/point
	 in solaris
	cdrom 	: hsfs	/dev/rdsk/c0t6d0s0 /cdrom
	dos   	: pcfs

If not using vold to manage cdrom, add entry like this to the vfstab:
/dev/dsk/c0t6d0s0       -     /mnt/cdrom    hsfs    -       no      -

showmount -e 		: display the devices shared by a remote host that can be mounted

showmount -a			: list remote system that has mounted a export

solaris loopback fs, sample entry in vfstab, as per man page on mount:

	/export/test - /opt/test lofs - yes -

removable media management - vold

/etc/init.d/volmgt start|stop
in sol up to 9, vold is very buggy, and tend to cause problem, 
especially after hitting eject button on cdrom drive w/o using soft "eject cdrom"
if it goes bad, stop,start don't seems to help.  need reboot.
in sol 10, seems to be better, at least volmgt stop,start clear things up.

usb devices:
sol 10 handles usb dev mounting pretty good.
mounting them correctly and showing icon on desktop.
Files can be access in /rmdisk/...
- usb floppy drive from apple
- usb cd/dvd/burner from iomega
- usb memory storage (lexar jumpdrive)

usb devices are hot plug detected by kernel since solaris (8?).
usb hard drive should work since solaris 8.
see gmail ref for more info.
/dev/usb/... is driver, and sym link created into /dev/[r]dsk/
though somehow format did not see the disk.

other vold paths:
/vol/...  (/vol/dev/[r]dsk, /vol/dsk, ...)
some maybe used as raw path for floppy dd when vold is running.

linux :

mount -t vfat -o loop=/dev/loop0 /tmp/floppy.dd.img /mnt/loopbackmount
	: use loopback to mount a dd-ed image of a dos floppy, fully writable.

mount -t iso9660 -o loop,ro /tmp/cdrom.dd.img /mnt/loopbackmount
	: same as above, mounting imaged created from cdrom
	# NFS export cannot see loopback devices (at least in linux, solaris)
	# and loopback from a file based off NFS won't work either
	# Typically, supports only 8 loopback "devices" unless edit loop.c and recompile kernel

dd if=/dev/cdrom of=/tmp/cdrom.dd.img  : create dd image out of cdrom, using raw dev.

smbmount -V
mount -t smbfs -o username=tin,password=foobar //n2k/c$ /mnt/n2k/c$	(trying in rh7.1 jaba)
mount -t smbfs -o 'username=administrator,password=bar,workgroup=ntdom2' // /mnt/smbfs

fuser 	: which user holding up what file, useful when mounting, etc
fuser -cu	: -cu show user and resolved user name using a particular mount point

mount -t   ... 
	cdrom is iso9660

Making ext2 floppy
	fdisk /dev/fd0
		create primarty partition of type Linux (ext2)
	mke2fs /dev/fd0
	mount -t ext2 /dev/fd0 /mnt/floppy 
	or mount /mnt/floppy (auto determine fs type should work).

linux sample /etc/fstab:

/dev/hda1               /                       ext2    defaults        1 1
/dev/cdrom              /mnt/cdrom              iso9660 noauto,owner,ro 0 0
/dev/hda6               /var                    ext2    defaults        1 2
/dev/hda7               /work                   ext2    defaults        1 2
/dev/fd0                /mnt/floppy             auto    noauto,owner    0 0
none                    /proc                   proc    defaults        0 0
none                    /dev/pts                devpts  gid=5,mode=620  0 0
/dev/hda5               swap                    swap    defaults        0 0
  # external mounts
//$         /mnt/tin-nt/c$          smbfs   noauto,username=tin 0 0         /mnt/test               nfs     noauto          1 1
#/tmp/diag.floppy.dd    /mnt/loopbackmount      vfat    user,exec,noauto,loop=/dev/loop0     
/tmp/diag.ext2.dd       /mnt/loopbackmount      ext2    user,exec,noauto,loop=/dev/loop0,ro
/img/rhel-3-cd1.iso     /mnt/rhel-3-cd1         iso9660 loop,ro		# cd iso img from rhn ftp

  #  mount option user will default to noexec
  #  sometime loopback mount will complain with strange message if image is not on a local fs

linux sample /etc/exports:
# Either use 
# (1) space delimit multiple machines of the same export dir
# each machine options must be given immediately, 
# colon (or comma) CANNOT be used to group multiple machines with same option as in Solaris 
# (2) each machine has its own line, with mount point repeated.
# Then run exportfs -a to export everything 
# (eg 1)
/mnt/usbdrv tin-sun(rw,no_root_squash,async) chong-sun(rw,no_root_squash,async) 
# (eg 2)
/export  tin-sun(rw,no_root_squash,sync)
/export  chong-sun(rw,no_root_squash,sync)
/export2 *,async)

# be very careful about NOT to have a space after hostname.
# tin-sun (rw) 
# would mean tin-sun has default option
# and all hosts (*) would have (rw) !!

# other export options
# eg
# all_squash means everyone will get remapped, in this case to UID=0, GID=0.  but could be mapped to other UID...

### smb.conf and related stuff

security = domain, 
then use
smbpasswd -j ntdom1 -r '' -UAdministrator%password

USB hard drive on linux.
Hot plug ok.
Tested on RH AS 3.0 (ges-dfm).
Typically made available as /dev/sda1.


doc found by peter, fwd by emily about basic of cifs file operation.

cifs		common internet file system
			used by windows, and also has stuff like network browsing,
			print services, authentication (NT).  aka smb
			Commonly a layer 7/6 (app/presentation) protocol, and usually 
			run over NTB.

smb			server message block

samba		unix open source implementation of some of cifs.

NTB			NetBIOS over TCP
NetBEUI		NetBIOS Enhanced User Interface (NetBios + precursor of CIFS)

SNIA	Storage Network Industry Association
		Coming up with CIFS 1.0 protocol w/ IETF.
		Subset of current M$ CIFS, try to document it better, 
		and maintain for future.

WINS	M$ refer this as the NetBIOS name server implementation.
		Same function of DNS, but implemented totally differently.
		Use lot of broadcast! 
		Run over NetBIOS (on top of whatever network protocol).

Linux fstab eg

/dev/VolGroup00/LogVol00 /                       ext3    defaults        1 1
LABEL=/boot             /boot                   ext3    defaults        1 2
none                    /dev/pts                devpts  gid=5,mode=620  0 0
none                    /dev/shm                tmpfs   defaults        0 0
none                    /proc                   proc    defaults        0 0
none                    /sys                    sysfs   defaults        0 0
/dev/VolGroup00/LogVol01 swap                    swap    defaults        0 0

/dev/emcpowerc          /mnt/emcpowerc          ext3    defaults        0 0
nfsserver:/unixhome       /nfshome              nfs    rw,soft,intr,tcp,rsize=32768,wsize=32768,vers=3,timeo=4,retrans=9 0 0	# cambridge eg
nfsserver:/unixhome       /nfshome              nfs bg,rw,hard,intr,udp,rsize=32768,wsize=32768,vers=3,timeo=4,retrans=9 0 0
agami01:/export/agami  /nfsbackup/agami         nfs    rw,nfsvers=3,rsize=32768,wsize=32768,tcp,intr,soft			# RHEL 4.5

/net/pollo/local/LINUX/SUSE/SUSE-10.0-CD-i386-GM-CD1.iso       /mnt/loopback/SUSE-10.0-CD-i386-GM-CD1   iso9660 loop,ro,noauto
/export/repo/iso/RHEL4-U5-i386-WS-disc1.iso     /mnt/loopback/RHEL4-U5-i386-WS-disc1    iso9660 loop,ro,noauto

## mount ordering number at the end doesn't seems to matter anymore
## systemd for ordering sequence of mounts
## ref:

ml4hep1:/global/home/users /global/home/users nfs  rw,bg,soft,intr,_netdev  0 1
/global/home/users         /home              none _netdev,bind,-systemd.requires-mounts-for=/global/home/users  0 2

Solaris vfstab eg

#device         device          mount           FS      fsck    mount   mount
#to mount       to fsck         point           type    pass    at boot options
fd      -       /dev/fd fd      -       no      -
/proc   -       /proc   proc    -       no      -
/dev/md/dsk/d10 /dev/md/rdsk/d10        /       ufs     1       no      logging
/dev/md/dsk/d20 -       	-       swap    -       no      logging
swap    -       /tmp    tmpfs   -       yes     -
nfsserver:/unixhome                          -  /nfshome    nfs 2 yes rw,vers=3,rsize=32768,wsize=32768,proto=tcp,intr,soft



  • Sync write persistence
  • Distributed file locking
    * Stateful (!) personality
        - Not same kind of statefulness as CIFS
        - session is at app layer, not TCP layer.
        - locks state are in controller memory, not persistent.  Client can re-check on lock and ensure no disruption during HA event.
    * UDP no longer supported
    * GSS-API: Generic Security Services API (RPCSEC_GSS)
        - Kerberos
        - LIPPKEY - Low Infrastructure Public Key Mechanism
        - Simple PUblic Key Mechanism (SPKM-3)
    * Kerberos 5
        - Symetric key
        - Encrypted tickets and sesions keys from KDC
        - Unix use MIT
        - Windows use 2008R2 AD
        - Support for Kerberos attribute is REQUIRED on client and server, 
          but run time can opt to leave this blank;
          whence Kerberos is not a must to have NFSv4 client talkign to NFSv4 server.
    * ACL is much closer and interoperable with CIFS
        - based on NTFS model
        - array of ACE (Access Control Entries)
        - support allowed and denied permissions, flags
        - UID/GID are string based (eg user@domain) instead of 32-bit integers used in NFSv3.  (!!)
            + vserver nfs show -vserver nas1 -fields v4-numeric-ids : 
              make netapp respond with numeric UID for client that cannot understand string, 
              this would generally make things easier (eg for transition period)  [TR-4072 page 46]
        - NFSv4 ACL, no support for POSIX ACL (migration from 3rd party must manually set NFSv4 ACL) 
        - nfs4_setfacl -e 
    nfs4_getfacl /home/als/physbase/hlc/General/
    * At least on netapp OnTap 9.x
        - traditional bits permisisons seems to be kept in parallel to NFSv4 ACL on the file object 
        - chmod in NFSv3 by default will change NFSv4 ACL, unless such trigger is set not to happen
    * Pseudo FS (in dedicated namespace)
        - entry point at /
        - junction path
    * Client need /etc/idmapd.conf
        - if not set, use `domainname`

    NFSv4 ref


    samba 3 uses NT domain logins to serve account information, and
    samba 4 is compatible with active directory.

    samba 2 use smbpasswd. samba 3 use pdbedit (and no more smbpasswd?)
    samba 2.x
    smbpasswd -j  -r  -Uuser%password
    run winbindd
    then start samba.
    nmblookup -U  -R 
    samba 3.0 use  the "net" command:
    net [method] [-d dbgLevelNum] join member -Uadministrator%password -S tileg-bdc1
    	member = add host as member host (not as pdc/bdc)
    	-S = target (window) server to use 
    	[method] can be blank, it will auto detect
    		 ads = XP  style
    		 rpc = nt4 style
    		 ads = win95 style ?
    	-d 0-10	specify debug level info (spill to console), 0=none, 5=a lot, 10=unreadable.  Try 3. 
    net testjoin
    	check whether domain participation is still valid
    	# no longer avail???
    net help 
    	show help
    strace -o /tmp/output smbpasswd ...
    to see what file it opens, has tendendy to open wrong smb.conf
    wbinfo -u
    list all doamin user
    bin/testparm lib/smb.conf
    	check that smb.conf is correct.
    smbclient  // -W ntdom1 -Uadministrator%password
    	ftp like client to connect to nt-style share
    smbclient -L -N
    	list shares available from the given server
     	-N = force no ask password
    update 2004/06/23, for samba 3.0, in tileg/hybridauto
    config procedure
    create /usr/local/samba/lib/smb.conf file (see eg here for core elements).
    bin/testparm lib/smb.conf
    add member host in PDC via server manager.
    net join -Uadmin -S PDC-server		# for security=server
    sbin/smbd -D -s lib/smb.conf
    	# parameters are really default, but just in case samba have its own mind.
    sbin/smbd --version	
    	# show version
    If using security=user, then may need to use smbpasswd -a to add user 
    Although it seems to authenticate via NIS if no smbpasswd entry.
    quick and dirty config w/o domain fuss,
    in smb.conf, set to use user level security mode (ie local list of samba user) :
       security = user
    add users to smbpasswd file as (user must be recognized os level user):
    smbpasswd -a USERNAME
    change existing user password:
    smbpasswd USERNAME 	
    Samba 3 use pdbedit.
    pdbedit -L -v 		# list samba users, verbose
    			# samba local db stored in /var/lib/samba/private/private.tdb
    location specified by smb.conf, typically /usr/local/samba/var
    log.IP		= NetBIOS ip to name resolution log, per each client machine connecting to the server.
    log.HOSTNAME	= smbd log for each connecting client after netbios name resolution.
    log.nmbd	= nmbd server process/status log
    log.smbd	= smbd server process/status log.  level determined by smb.conf


    ; Wcry-like exploit
    ; security fix as per
    nt pipe support = no
    # log level = 3 passdb:5 auth:10 winbind:2
    # log level = 0 (default)
    log level = 2
    # workgroup = NT-Domain-Name or Workgroup-Name, eg: REDHAT4
       workgroup = TILEG	# NT4
    # Security mode. Defines in which mode Samba will operate. Possible
    # values are share, user, server, domain and ads. Most people will want
    # user level security. See the HOWTO Collection for details.
       #security = user		# user = local passwd/smbpasswd file
       security = server		# need to join machine to nt domain
       #security = domain		# probably never used this.
    # whether to use encrypted password
    #encrypt passwords = yes        # default = yes
    #encrypt passwords = no
       load printers = yes
       log file = /usr/local/samba/var/log.%m
        password server = tileg-bdc1
    	# this was needed as somehow my machine could not determin
    	# who was PDC, probably no broadcast on this vlan.
       wins support = no
       wins server =
    	# set it so that samba is not wins server, 
    	# and have it use wins on BRIO-BDC1
    	# otherwise, lot of browse by \\hostname will get bad
    	# unresolvable hostname :(
       socket options = TCP_NODELAY
       dns proxy = no
    #============================ Share Definitions ==============================
    ### custom settings here
       comment = test dir
       browsable = yes
       read only = no
       create mode = 755
       path = /export/tmp/test
       user = tho
    #============================ Share Definitions ==============================
    ### this and other were smb.conf.default settings.
       comment = Home Directories
       browseable = no
       writable = yes

    username mapping

    in smb.conf, there is a clause like
            username map = /etc/samba/smbusers
    which by default is
    root=administrator admin
    nobody=guest pcguest smbg
    This file can be updated to map user whose login name differ between unix and windows.

    SID to UID/GID mapping

    the ID numbers is what the computer use. winbind has to provide unix UID/GID numbers. If a username is not resolvable to unix UID number, it will generate a number and use it. The number generated is in a range defined in smb.conf. This number is stored in "idmap" and there is a "net idmap" command to do dump and restore (edit is by hand edit this file and reimport?).
    pdbedit is the samba user database. User of samba need to have account added here. The UID number assigned here may differ from what winbind (wbinfo) may return. OS calls such as getent and id would honor the UID# assigned in pdbedit (when winbind is used in nsswitch.conf).
    Not sure what order of precedence wbinfo works on. It does "do the right thing" in that id would look at places where one can manipulate UID# using pdbedit (?)
    pdbedit — manage the SAM database (Database of Samba Users)
            pdbedit entry can overwrite UID# winbindd returns
            getent passwd USERNAME  will return UID# specified in pdbedit (nsswitch.conf passwd use "files winbind")
    pdbedit -L -w -d0       # -L = list all entries (ie a dump).
                            # -w = smbpasswd format
                            # -d0= debug level 0 (may still get warning messages in output)
    pdbedit --modify
    pdbedit -a sn           # add user sn.  user must exist as unix (passwd) or windows (AD) user.
    pdbedit -x -u sn        # deleting a user that has a uid randomly assigned
                            # and readding it after it exist in passwd
                            # may set it to have the right UID#
    wbinfo  # query winbind for info
    wbinfo -u | wc          # list all --domain-users
    wbinfo -n ateran                                        # --name-to-sid
    wbinfo --user-sidinfo SID                               # return passwd-like string with UID# for a given SID
    wbinfo -S S-1-5-21-1224182940-43089146-691797619-2275   # --sid-to-uid    eg: 781 
    wbinfo -s S-1-5-21-1224182940-43089146-691797619-4805   # --sid-to-name
    wbinfo --sid-to-fullname SID    			# conver to DOMAIN\username
    wbinfo --user-sids SID          			# list group SID   a given SID belongs to
    wbinfo --user-domgroups  SID    			# list domaingroup a given SID belongs to
    wbinfo --sid-aliases S-1-5-21-1224182940-43089146-691797619-2275  # sid has aliases!!
    wbinfo -i bofh          # login to uid#
    wbinfo -r bofh          # get unix secondary gid for named user
    wbinfo --uid-info 781   # return passwd-like string for given uid#
    ref: samba doc on wbinfo


    winbindd perform SID to UID# mapping. info stored in a db.
    ref: NAME AND ID RESOLUTION section of winbindd samba doc
    UID# are often generated for user w/o unix passwd entry. Thus, if have multiple machine running winbindd, would be good to setup cronjob to keep the winbid db in sync (idmap)
    net cache flush
    idmap does mapping between SID and UID#/GID#. When the file is dumped, it can be (carefully) edited and (re)-imported (by different hosts).
    # syncing IDs between different winbind machines
    net idmap dump    /var/lib/samba/winbindd_idmap.tdb > dumpfile.txt
    net idmap restore /var/lib/samba/winbindd_idmap.tdb < dumpfile.txt
    net idmap dump winbindd_idmap.tdb > /dev/null 2>&1 | ssh 'net idmap restore' > /dev/null 2>&1
    ref: Samba3 :: Chapter 12. Remote and Local Management: The Net Command :: Managing IDMAP UID/SID Mappings (at the end)
    wbinfo -m               # list --trusted-domains
    wbinfo --own-domain     # what domain this smb server is on
    wbinfo -p               # --ping winbindd to ensure connection still good
    wbinfo -P               # --ping-dc       to ensure connection still good
    wbinfo -t               # --check-secret  of workstation to AD still good
    			# ie determine if secret used to join ntdomain is still good (security=server)

    net cmd

    To interact with AD, the DOS net commands are available.
    net rpc info
    the net idmap command operates locally and is covered in the UID to SID mapping section above

    [Doc URL:]
    (cc) Tin Ho. See main page for copyright info.