From owner-freebsd-questions@FreeBSD.ORG Thu Feb 21 21:59:49 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D2B6016A403 for ; Thu, 21 Feb 2008 21:59:49 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from snoogles.rachie.is-a-geek.net (rachie.is-a-geek.net [66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id 96AC113C45D for ; Thu, 21 Feb 2008 21:59:49 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from localhost (localhost [127.0.0.1]) by snoogles.rachie.is-a-geek.net (Postfix) with ESMTP id 8E6321CC8B for ; Thu, 21 Feb 2008 12:59:48 -0900 (AKST) From: Mel To: freebsd-questions@freebsd.org Date: Thu, 21 Feb 2008 22:59:45 +0100 User-Agent: KMail/1.9.7 References: <47BCC9C6.9050501@gmx.net> <200802212131.16581.fbsd.questions@rachie.is-a-geek.net> <47BDEB9A.80207@gmx.net> In-Reply-To: <47BDEB9A.80207@gmx.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200802212259.46294.fbsd.questions@rachie.is-a-geek.net> Subject: Re: Mounting FS read-only for specific user (or root) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2008 21:59:49 -0000 On Thursday 21 February 2008 22:22:34 Andrew Bradford wrote: > Mel escribi=F3: > > On Thursday 21 February 2008 20:32:37 Andrew Bradford wrote: > >> Erik Norgaard escribi=F3: > >>> I assume the reasoning for this is you want to preserve permissions > >>> and attributes on your backup, so you can't solve this simply by > >>> setting permissions appropriately. > >> > >> Yes, exactly. Users need to be able to see their own backups, and > >> nobody else's. > > > > Isn't this what acl's are for? See setfacl(8). I haven't looked into it > > in great detail but seems to me that if you make a subdir owned by the > > user for each backup root for that user and set the acl to only be > > accessible by user, it should work. > > I can't test it on my system at the moment, but wouldn't acls make the > files writable for general users? The backup filesystem needs to be > mounted read-write for root only, and read-only for general users, yet > maintain ownership and permissions. Yeah, you're right. It applies to files only. Sorry for the noise. However, you can still do it with normal permissions, if the users can't se= e=20 the real directory. So I guess the solution would be to either jail it and= =20 mount it ro with nullfs into the jail and root would use the host system, o= r=20 if it's on a different machine to nfs mount it ro and root would use the nf= s=20 host machine. The jail/nullfs trick I use with a template jail and standard ports that I= =20 don't want the jails to screw with. =2D-=20 Mel