Search code examples
netapp

How can I use fsecurity apply on a NetApp filer to reset NTFS permissions? (ONTAP 7-MODE)


I have a NetApp filer, with a CIFS export. The permissions have been locked down on it, to a point where it's no longer accessible. I need to reset the permissions on this - I've figured out I can probably do this by changing the qtree to Unix security mode and back again (provided I'm prepared to unexport the share temporarily).

However, I think I should be able to use the fsecurity command to do this. There's just one problem - the manpage example refers to 'applying ACLs from a config file': https://library.netapp.com/ecmdocs/ECMP1196890/html/man1/na_fsecurity_apply.1.html

But what it doesn't do, is give me an example of what a 'security definition file' actually looks like.

Is anyone able to give me an example? Resetting a directory structure to Everyone/Full Control is sufficient for my needs, as re-applying permissions isn't a problem.


Solution

  • Create a conf file containing the following:

    cb56f6f4
    1,0,"/vol/vol_name/qtree_name/subdir",0,"D:P(A;CIOI;0x1f01ff;;;Everyone)"
    

    Save it on your filer somewhere (example in manpage is /etc/security.conf).

    Run:

    fsecurity show /vol/vol_name/qtree_name/subdir
    fsecurity apply /etc/security.conf
    fsecurity show /vol/vol_name/qtree_name/subdir
    

    This will set Everyone / Full Control: inheritable. Which is a massive security hole, so you should now IMMEDIATELY go and fix the permissions on that directory structure to something a little more sensible.

    You can get create more detailed ACLs using the 'secedit' utility, available from NetApp's support site. But this one did what I needed it to.